Desired state: compromised

Presented at BruCON 0x07 (2015), Oct. 9, 2015, 3 p.m. (60 minutes)

Desired State Configuration (DSC) is a core component of Microsoft's new enterprise management technology that provides unique opportunities for administrators and attackers alike. It's designed to monitor and maintain the configuration of a set of systems - even over the internet - with no Active Directory required. But in the wrong hands, a creative adversary can hijack DSC as an effective means of command-and-control using nothing but PowerShell scripts and built-in Windows features. First, we'll demonstrate how to use DSC to infect systems and serve as a covert persistence mechanism for malware. We'll walk through the steps needed to build a remote C2 server that manages compromised systems - and can even re-infect those that have been cleaned - with DSC and a bit of scripting. Our presentation will also highlight other DSC capabilities, such as transferring files or modifying the registry, that can be abused for malicious control of a system. After covering these intrusion scenarios, we'll tackle the topic from the perspective of a defender or incident responder. We'll illustrate the signs that DSC might be used on a compromised system, and how to investigate the forensic evidence it leaves behind. Proof-of-concept source code will accompany the presentation and our research.

Presenters:

• Ryan Kazanciyan
  Ryan Kazanciyan is the Chief Security Architect for Tanium, and has twelve years of experience in incident response, forensic analysis, and security assessments. Prior to joining Tanium, Ryan was a Technical Director at Mandiant, where he led investigation and remediation efforts for dozens of Fortune 500 organizations impacted by targeted attacks. Ryan has presented research and taught classes for federal law enforcement, corporate security groups, and at industry conferences around the world. He is a co-author of "Incident Response and Computer Forensics, 3rd Edition", released in 2014.
• Matt Hastings
  Matt Hastings is a Security Architect focused on research and development for Incident Response and forensic tools. Previously, Matt worked as a consultant performing enterprise-wide incident response, high-tech crime investigations, penetration testing, strategic corporate security development, and security control assessments; working with the Federal government, defense industrial base, financial industry, Fortune 500 companies, and global organizations.

Links:

• https://brucon0x072015.sched.com/event/4LH0/desired-state-compromised

Similar Presentations:

• BruCON 0x0A (2018) / (Re)Investigating Powershell attacks
• Black Hat Asia 2016 / DSCompromised: A Windows DSC Attack Framework