Two forensics experts have demonstrated how to abuse the Windows Desired State Configuration (DSC) feature to gain persistence on the compromised machine.
“If not properly remediated, DSC will automatically re-infect the victim by re-dropping the file and re-executing the malware without notifying the user,” explained Kazanciyan.
“We have yet to see an example of this attack happening in the wild – that doesn’t mean it isn’t happening – but it does give us hope that we can get this out there so that red and blue teams are aware.”
The experts also provided useful suggestions on the attack in order to prevent its exploitation in the wild by cyber criminals. The Powershell 3 and later are able to log the execution of malicious script like the ones used by Hastings’ and Kazanciyan’s attack.