Keep Windows machines infected abusing Windows Desired State Configuration (DSC)

At the last Black Hat Asia, the forensics experts Matt Hastings and Ryan Kazanciyan from Tanium have demonstrated how to abuse the Windows Desired State Configuration (DSC) feature to gain persistence on the compromised machine.

The DSC is a PowerShell extension implemented in Windows Server 2012 R2 and Windows 8.1, it allows administrators to:

• Install or remove server roles and features
• Manage registry settings
• Manage files and directories
• Start, stop,and manage processes and services
• Manage local groups and user accounts
• Install and manage packages such as .msi and .exe
• Manage environment variables
• Run Windows PowerShell scripts
• Fix a configuration that has drifted away from the desired state
• Discover the actual configuration state on a given node

The duo has released the DSCompromised framework of Powershell scripts and modules that could be used by attackers to abuse DSC and maintain persistence on the infected Windows machine in a covert way.

In their presentation the experts highlighted that they haven’t exploited any zero-day flaw in DSC neither they have identified ways to escalate privileges with DSC.

Their attack technique works in the DSC pull mode, in this scenario compromised windows machine send requests over HTTPS to servers either located on the Internet or within a local network.

The points of strength of the technique are its flexibility in implementing the persistence mechanism, it is covert to most security tools and allows automatic re-infection of the targeted host.

What are its limitations?

The attack is very difficult to learn and use despite the availability of PowerShell scripts issued by the duo- The attack requires PS 4.0 on victim and the use of a command and control infrastructure and Admin privileges on the victim host.