DSCOMPROMISED: A WINDOWS DSC ATTACK FRAMEWORK presented at BlackHatAsia 2016

by Ryan Kazanciyan, Matt Hastings,

Summary : DSCompromised is a PowerShell-based toolkit that leverages Windows Desired State Configuration (DSC) for command-and-control, malware persistence, and automatic re-infection of compromised systems. Never heard of DSC before? Worry not! We'll first explain the basics of how DSC, Microsoft's next-gen enterprise management technology, works - and how it can be controlled and abused by an attacker. Next, we'll walk through the steps necessary to use our DSCompromised framework to set up a command-and-control server, generate payloads, infect a victim, and even restore a remediated system back to a compromised state.
Finally, we'll pivot from the attacker/red team perspective to that of a blue team defender or incident responder. We'll illustrate the signs that DSC might be abused on a compromised system, and how to detect and investigate the forensic evidence it leaves behind. This presentation includes source code and on-screen demonstrations of multiple attack scenarios.