Practical tips and more recently a reference to the original article by Daniel Shadow Force chiefs translation of the article reference Miyoshi
MSDTC service using the back door to load dll, achieve self-starting back door
Trend Micro backdoor ideas can view articles
0x01 MSDTC Profile
msdtc.exe Microsoft distributed transmission coordinator . The system calls the process Microsoft Personal Web Server and in the Microsoft SQL Server . This service is used to manage multiple servers.
msdtc.exe is a tie affairs, is distributed in two or more databases, message queues, file systems, or other transaction-protected resource managers, be careful to delete.
The corresponding service MSDTC, full name of the Distributed Transaction Coordinator, Windows system default to start the service
The corresponding process msdtc.exe, located in% windir% system32
When the Windows operating system to start Microsoft Distributed Transaction Coordinator (MSDTC) service, the attack began, the service can be coordinated across multiple resource managers (such as databases, message queues, and file system) transaction. When the target computer to join a domain, once the MSDTC service is started, it searches the registry.
When the computer is joined to a domain, when the MSDTC service starts, it will search the registry HKEY_LOCAL_MACHINE SOFTWARE MicrosoftMSDTC MTxOCI
MSDTC service MTxOCI three components search DLL: oci.dll , SQLLib80.dll and xa80.dll . Windows by default does not contain oci.dll
We will backdoor dll will rename oci.dll , and place it in % SystemRoot% \ system32 \ in . oci.dll ready, use the remote operation command to kill the MSDTC service ( taskkill / IM msdtc.exe / f ), resulting in MSDTC to reload itself. But this time it will look for and find oci.dll .
This time the service will be beneficial to our back door dll pull up.
0x02 reproducible back door
oci.dll into the system32 restart msdtc service
taskkill /f /im msdtc.exe
cobalt strike in use sc call service
We can see the back door pull up oci.dll
MSDTC service is not unique domain environment, the default will start the MSDTC service under a workgroup environment
The method applies not only to use a domain environment, the workgroup environment is equally applicable
Down the right to use:
msdtc -install
For ordinary users host recommended to disable MSDTC service
reference:
https://blog.trendmicro.com/trendlabs-security-intelligence/shadow-force-uses-dll-hijacking-targets-south-korean-company/
https://www.4hou.com/system/6890.html