At the last Black Hat Asia, the forensics experts Matt Hastings and Ryan Kazanciyan from Tanium have demonstrated how to abuse the Windows Desired State Configuration (DSC) feature to gain persistence on the compromised machine.
The DSC is a PowerShell extension implemented in Windows Server 2012 R2 and Windows 8.1, it allows administrators to:
The duo has released the DSCompromised framework of Powershell scripts and modules that could be used by attackers to abuse DSC and maintain persistence on the infected Windows machine in a covert way.
In their presentation the experts highlighted that they haven’t exploited any zero-day flaw in DSC neither they have identified ways to escalate privileges with DSC.
Their attack technique works in the DSC pull mode, in this scenario compromised windows machine send requests over HTTPS to servers either located on the Internet or within a local network.
The points of strength of the technique are its flexibility in implementing the persistence mechanism, it is covert to most security tools and allows automatic re-infection of the targeted host.
What are its limitations?
The attack is very difficult to learn and use despite the availability of PowerShell scripts issued by the duo- The attack requires PS 4.0 on victim and the use of a command and control infrastructure and Admin privileges on the victim host.
“If not properly remediated, DSC will automatically re-infect the victim by re-dropping the file and re-executing the malware without notifying the user,” explained Kazanciyan.
“We have yet to see an example of this attack happening in the wild – that doesn’t mean it isn’t happening – but it does give us hope that we can get this out there so that red and blue teams are aware.”
The experts also provided useful suggestions on the attack in order to prevent its exploitation in the wild by cyber criminals. The Powershell 3 and later are able to log the execution of malicious script like the ones used by Hastings’ and Kazanciyan’s attack.
The experts are inviting hackers to contribute to the theirDSCompromised framework which is available on GitHub.
Give a look to the Slides of the presentation or download the audio.
(Security Affairs – Cisco FirePower firewall, hacking)