DSCompromised: A Windows DSC Attack Framework
DSCompromised: A Windows DSC Attack Framework
Black Hat Asia 2016
Matt Hastings, Ryan Kazanciyan
Hello!
Ryan Kazanciyan Chief Security Architect, Tanium
Matt Hastings Security Director, Tanium
Backgrounds in incident response & forensics for large-scale, targeted attacks Formerly consultants, currently builders Co-authors of "Investigating PowerShell Attacks" (BH USA, 2014) Continue to do IR & forensics research for "fun"
2
Agenda
Background DSCompromised
Framework & Attack Scenarios Sources of evidence Areas for future research and work
3
What the $%#$% is Desired State Configuration?
Windows DSC 101
Next-gen configuration management platform for Windows Instrumented via PowerShell Uses standard Managed Object Format (MOF) files Does not require Active Directory (unlike SCCM) Similarities to Puppet & Chef
DSC is not a complete solution stack DSC implements the configuration layer Puppet and Chef can interoperate with DSC
5
What can DSC do?
Ensure that a desired "state" of the system is maintained over time
Download and create files and directories Execute processes Run scripts Create users and assign group membership Control Windows services Manage registry keys and values Install software
6
DSC Workflow: Author, Stage, Implement
Create configuration
.MOF file
Stage configuration on Pull Server
[or]
Stage configuration on Push Server
SMB, HTTP, or HTTPS
Consume and implement
configuration
WinRM
Check for config "drift", re-enforce as
needed
7
Sorry, no zero-days...
We have not... Exploited vulnerabilities in
DSC
Identified ways to escalate privileges with DSC
We have... Utilized DSC as a covert
persistence mechanism
Simplified the process to weaponize DSC
Identified the telltale evidence of DSC misuse
8
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
Related searches
- windows management framework 3 0
- how to keep a windows restore point
- create a windows 10 repair usb
- what is a windows password
- how to reset a windows 7 password
- how to wipe a windows 7 laptop
- wipe a windows 7 computer
- delete a windows 10 file association
- how to rename a windows user
- a framework for strategic innovation
- what is a framework document
- how to uninstall a windows service