Keep Windows machines infected abusing Windows Desired State Configuration (DSC)

Pierluigi Paganini April 05, 2016

Two forensics experts have demonstrated how to abuse the Windows Desired State Configuration (DSC) feature to gain persistence on the compromised machine.

DSC compromise attack

“If not properly remediated, DSC will automatically re-infect the victim by re-dropping the file and re-executing the malware without notifying the user,” explained Kazanciyan.

“We have yet to see an example of this attack happening in the wild – that doesn’t mean it isn’t happening – but it does give us hope that we can get this out there so that red and blue teams are aware.”

The experts also provided useful suggestions on the attack in order to prevent its exploitation in the wild by cyber criminals. The Powershell 3 and later are able to log the execution of malicious script like the ones used by Hastings’ and Kazanciyan’s attack.

The experts are inviting hackers to contribute to the theirDSCompromised framework which is available on GitHub.

Give a look to the Slides of the presentation or download the audio.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cisco FirePower firewall, hacking)



you might also like

leave a comment