Two forensics experts have demonstrated how to abuse the Windows Desired State Configuration (DSC) feature to gain persistence on the compromised machine.
At the last Black Hat Asia, the forensics experts Matt Hastings and Ryan Kazanciyan from Tanium have demonstrated how to abuse the Windows Desired State Configuration (DSC) feature to gain persistence on the compromised machine.
The DSC is a PowerShell extension implemented in Windows Server 2012 R2 and Windows 8.1, it allows administrators to:
Install or remove server roles and features
Manage registry settings
Manage files and directories
Start, stop,and manage processes and services
Manage local groups and user accounts
Install and manage packages such as .msi and .exe
Manage environment variables
Run Windows PowerShell scripts
Fix a configuration that has drifted away from the desired state
Discover the actual configuration state on a given node
The duo has released the DSCompromised framework of Powershell scripts and modules that could be used by attackers to abuse DSC and maintain persistence on the infected Windows machine in a covert way.
In their presentation the experts highlighted that they haven’t exploited any zero-day flaw in DSC neither they have identified ways to escalate privileges with DSC.
Their attack technique works in the DSC pull mode, in this scenario compromised windows machine send requests over HTTPS to servers either located on the Internet or within a local network.
The points of strength of the technique are its flexibility in implementing the persistence mechanism, it is covert to most security tools and allows automatic re-infection of the targeted host.
What are its limitations?
The attack is very difficult to learn and use despite the availability of PowerShell scripts issued by the duo- The attack requires PS 4.0 on victim and the use of a command and control infrastructure and Admin privileges on the victim host.
“If not properly remediated, DSC will automatically re-infect the victim by re-dropping the file and re-executing the malware without notifying the user,” explained Kazanciyan.
“We have yet to see an example of this attack happening in the wild – that doesn’t mean it isn’t happening – but it does give us hope that we can get this out there so that red and blue teams are aware.”
The experts also provided useful suggestions on the attack in order to prevent its exploitation in the wild by cyber criminals. The Powershell 3 and later are able to log the execution of malicious script like the ones used by Hastings’ and Kazanciyan’s attack.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.