Hackers demo persistent, quiet attacks through Windows DSC

Desired State Configuration tool can create state of chaos

AUDIO from Black Hat Asia Forensics men Matt Hastings and Ryan Kazanciyan have flipped the Windows Desired State Configuration (DSC) into a covert persistence mechanism and weapon in a new attack vector to own Windows boxes.

The Tanium security duo released the DSCompromised framework of Powershell scripts and modules that help attackers use DSC, while smoothing over otherwise confusing and undocumented bugs.

They told Black Hat Asia in Singapore last week that attackers abusing DSC can continually and covertly re-infect Windows systems.

The pair say they were keen to showcase the new attack and suggested defences to the security community before criminals find the vector on their own.

"If not properly remediated, DSC will automatically re-infect the victim by re-dropping the file and re-executing the malware without notifying the user," Kazanciyan says.

"We have yet to see an example of this attack happening in the wild - that doesn't mean it isn't happening - but it does give us hope that we can get this out there so that red and blue teams are aware."

Their attack works in DSC pull mode where compromised clients issue requests over HTTPS to servers either located on the internet or within the victim's network.

Listen: | Download | Slides (start from page 11) DSCompromised: A Windows DSC Attack Framework.

Powershell 3 and later sport script and module logging features that warn admins of running scripts, and would also log Hastings' and Kazanciyan's attack. Moreover script heuristics in Powershell 5 may also trigger some flags when the attack is run, but the duo haven't tested its efficacy.

Matt Hastings (Ryan Kazanciyan is off camera).

The two have urged interested hackers to contribute to the DSCompromised framework hosted on GitHub. ®


Biting the hand that feeds IT © 1998–2017