Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Sergey Golovanov - Indecent Response 2018

0c988f4618b436b14ce6ddcecd52d11d?s=47 DC7499
February 10, 2018
Education
0
290

Sergey Golovanov - Indecent Response 2018

0c988f4618b436b14ce6ddcecd52d11d?s=128

DC7499

February 10, 2018
Tweet

More Decks by DC7499

See All by DC7499
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
160
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
120
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
210
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
1
180
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
1
150
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
170
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
240
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
0
280
0c988f4618b436b14ce6ddcecd52d11d?s=48 defcon
1
340

Other Decks in Education

See All in Education
35fc315d1611144ee31feaebbf5e854a?s=48 ynakamur
0
110
7de49e20d3fff780f9ebe13a842f8062?s=48 willmaehon
0
220
D9d7af0f62576d5d30bf78bd10f07c6f?s=48 strikr
0
310
Cf0e7e45defe9fa007d291dcc6d5db23?s=48 zam
0
110
1784dc14078e1814c6d0c0959b0b7324?s=48 sapi_kawahara
8
1.9k
1918162b15726c597ae8b9c9fb78ee0f?s=48 learnenergy2
0
150
0908532ec53a5aae03cfd0879f0895a6?s=48 hiroaki0619
0
570
5e3e242089cda76ced40380255c25a18?s=48 acoach
0
140
5343286d8d4de6cc782a3c614a121e67?s=48 cardososampaio
0
130
18cdb6f294c8cb10a46167e462c2a51f?s=48 matleenalaakso
0
4.3k
Ed9de8b56b64414bee8d94a2bfb58962?s=48 cheskanilao
0
140
7de49e20d3fff780f9ebe13a842f8062?s=48 willmaehon
0
340

Featured

See All Featured
761be20b5ebd271008bcee1244fc5b52?s=48 matthewcrist
73
7.5k
B3ace07412a5178ea778e7eec161fc0a?s=48 jcasabona
8
550
766b9746b59e6f09e280cd33cf4ed419?s=48 skipperchong
8
710
25c7c18223fb42a4c6ae1c8db6f50f9b?s=48 mojombo
358
62k
C4de88ea47538e4594750e3861a341c8?s=48 brettharned
93
3k
5ce91fa49a613cbc3e20d5f96856473f?s=48 edds
56
9.4k
E4f5d494ebdc9e7cce1aecf3ce3e8bc1?s=48 shpigford
165
19k
C0b42577cfc2b321be3474618107e933?s=48 samanthasiow
56
6.3k
8ec1383b240b5ba15ffb9743fceb3c0e?s=48 philnash
9
580
E195ae45320d9202eaa01c9f1d31a416?s=48 marktimemedia
7
390
651dcfe41723207fbb0aa044a4f7c07f?s=48 dotmariusz
94
5.5k
9cde37f47e4a800ea081ea42de8d749a?s=48 dougneiner
55
5.4k

Transcript

  1. Indecent response 2018 Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky

    Lab

  2. Challenge: find a SDC bus speed

  3. None

  4. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

  5. 1.Shadowpad

  6. Case overview: 1.Antifraud system in a bank is detecting printing

    of a lot of elite cards for the last several hours 2.Bank is starting network audit 3.Bank is discovering suspicion DNS requests 4.Forensics can not find malware on PCs 5.Bank asks for help…

  7. DNS requests

  8. None
  9. None

  10. “Our worldwide customers range from small businesses right up to

    global Fortune 500 companies.” NetSarang AmericanExpress BankofAmericaCorp. BankofChina BNPParibas Citigroup DeutscheBank Fortis GeneralElectric INGGroup MerrillLynch MorganStanley ShinhanFinancialGroup SocieteGenerale UBS https://webcache.googleusercontent.com/search?q=cache:m7Nc1_mRksgJ:https://www.netsara ng.com/about/client.html+&cd=1&hl=ru&ct=clnk&gl=ru

  11. https://securelist.com/shadowpad -in-corporate-networks/81432/

  12. What was done?

  13. AutoMA – static analysis framework

  14. Shadowpad after autoMA

  15. Miniduke after autoMA

  16. 2.0x403AA91EE

  17. Case overview:

  18. None
  19. None

  20. How to find suspicion DNS requests? sort | uniq -c

    | sort -rn

  21. How to find suspicion powershell? sort | uniq -c |

    sort -rn

  22. parse_evtx.exe System.evtx | findstr /i "power" | more Record #2396788

    2027.02.22-08:03:00 'Computer':PC1', 'Channel':'System', 'EventSourceName':'Service Control Manager', 'Guid':‘GUID'Name':'Service Control Manager', 'xmlns':'http://schemas.microsoft.com/win/2004/08/events/event', 'Level':04, 'Opcode':00, 'Task':0000, 'EventID':7045 (A service was installed in the system.), 'Qualifiers':16384, 'Keywords':8080000000000000, 'SystemTime':2027.02.22-08:03:00, 'ProcessID':00000648, 'ThreadID':00010692, 'EventRecordID':0000000002396788, 'Version':00, 'UserID':SID, 'ServiceName':‘1aec4f0', 'ImagePath':'%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5A FMAdAByAGUAYQBtACgA

  23. https://github.com/KasperskyLab/ForensicsTools/

  24. 3.Scanner2

  25. Case overview: 1. No money 2. No logs 3. No

    team 4. No idea about network 5. CISO!

  26. What to do? we need logs we need mfts we

    need regs

  27. WE NEED TO RECOMPILE EVERYTHING!

  28. Awesome batch file

  29. How to find something suspicion ? sort | uniq -c

    | sort -rn

  30. https://cdn.securelist.com/files/ 2017/12/HappyNewYear.zip

  31. 4. PLANS

  32. 1. MFT is a hell. Sleuthkit is not enough. We

    need more data about deleted files. 2. USN J is required with no HDD touch. 3. Reg analysis is needed with unallocated part.

  33. Agenda 1.Shadowpad 2.0x403AA91EE 4.Plans 3.Scanner2

  34. Зачем?

  35. None

  36. Thank you! Sergey @k1k_ Golovanov Principal Security Researcher Kaspersky Lab