DSCompromised: A Windows DSC Attack Framework

Presented at Black Hat Asia 2016, Unknown date/time (Unknown duration).

DSCompromised is a PowerShell-based toolkit that leverages Windows Desired State Configuration (DSC) for command-and-control, malware persistence, and automatic re-infection of compromised systems. Never heard of DSC before? Worry not! We'll first explain the basics of how DSC, Microsoft's next-gen enterprise management technology, works - and how it can be controlled and abused by an attacker. Next, we'll walk through the steps necessary to use our DSCompromised framework to set up a command-and-control server, generate payloads, infect a victim, and even restore a remediated system back to a compromised state. Finally, we'll pivot from the attacker/red team perspective to that of a blue team defender or incident responder. We'll illustrate the signs that DSC might be abused on a compromised system, and how to detect and investigate the forensic evidence it leaves behind. This presentation includes source code and on-screen demonstrations of multiple attack scenarios.


Presenters:

  • Matt Hastings - Tanium
    Matt Hastings is a Security Architect at Tanium, Inc. and has 7 years of experience in incident response, forensic analysis, and penetration testing. Previously Matt worked as a Senior Consultant with Mandiant, a division of FireEye, Inc. Based in the Washington D.C area, Matt focuses on enterprise-wide incident response, high-tech crime investigations, penetration testing, strategic corporate security development, and security control assessments; Matt works with the Federal government, defense industrial base, financial industry, Fortune 500 companies, and global organizations.
  • Ryan Kazanciyan - Tanium
    Ryan Kazanciyan is the Chief Security Architect for Tanium and has twelve years of experience in incident response, forensic analysis, and penetration testing. Prior to joining Tanium, Ryan oversaw investigation and remediation efforts at Mandiant, where he spent six years working with dozens of Fortune 500 organizations impacted by targeted attacks. Ryan has taught classes for Black Hat, corporate security teams, and federal law enforcement, and is a co­author of "Incident Response and Computer Forensics," 3rd Edition (2014).

Links:

Similar Presentations: