Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DSCompromised: A Windows DSC Attack Framework

DSCompromised: A Windows DSC Attack Framework

DSCompromised is a PowerShell-based toolkit that leverages Windows Desired State Configuration (DSC) for command-and-control, malware persistence, and automatic re-infection of compromised systems. Never heard of DSC before? Worry not! We'll first explain the basics of how DSC, Microsoft's next-gen enterprise management technology, works - and how it can be controlled and abused by an attacker. Next, we'll walk through the steps necessary to use our DSCompromised framework to set up a command-and-control server, generate payloads, infect a victim, and even restore a remediated system back to a compromised state.

Finally, we'll pivot from the attacker/red team perspective to that of a blue team defender or incident responder. We'll illustrate the signs that DSC might be abused on a compromised system, and how to detect and investigate the forensic evidence it leaves behind. This presentation includes source code and on-screen demonstrations of multiple attack scenarios.

Ryan Kazanciyan

April 01, 2016
Tweet

More Decks by Ryan Kazanciyan

Other Decks in Technology

Transcript