Domain hijacking dll achieve penetration -msdtc back door

Others 2019-10-01 21:51:25 views: null

Practical tips and more recently a reference to the original article by Daniel Shadow Force chiefs translation of the article reference Miyoshi

 

 

MSDTC service using the back door to load dll, achieve self-starting back door

Trend Micro backdoor ideas can view articles

https://blog.trendmicro.com/trendlabs-security-intelligence/shadow-force-uses-dll-hijacking-targets-south-korean-company/

 

 

 

 

 

0x01 MSDTC Profile

    msdtc.exe Microsoft distributed transmission coordinator . The system calls the process Microsoft Personal Web Server and in the Microsoft SQL Server . This service is used to manage multiple servers.
msdtc.exe is a tie affairs, is distributed in two or more databases, message queues, file systems, or other transaction-protected resource managers, be careful to delete.

 

The corresponding service MSDTC, full name of the Distributed Transaction Coordinator, Windows system default to start the service

 

 

 

The corresponding process msdtc.exe, located in% windir% system32

 

 

 

 

When the Windows operating system to start Microsoft Distributed Transaction Coordinator (MSDTC) service, the attack began, the service can be coordinated across multiple resource managers (such as databases, message queues, and file system) transaction. When the target computer to join a domain, once the MSDTC service is started, it searches the registry.

When the computer is joined to a domain, when the MSDTC service starts, it will search the registry HKEY_LOCAL_MACHINE SOFTWARE MicrosoftMSDTC MTxOCI

 

 

 

 

 

 

MSDTC service MTxOCI three components search DLL: oci.dll , SQLLib80.dll and xa80.dll . Windows by default does not contain oci.dll

 

We will backdoor dll will rename oci.dll , and place it in   % SystemRoot% \ system32 \ in . oci.dll ready, use the remote operation command to kill the MSDTC service ( taskkill / IM msdtc.exe / f ), resulting in MSDTC to reload itself. But this time it will look for and find oci.dll .

 

This time the service will be beneficial to our back door dll pull up.

 

 

 

 

 

 

 

 

0x02 reproducible back door

 

oci.dll into the system32 restart msdtc service

 

taskkill /f /im msdtc.exe

 

cobalt strike in use sc call service 

 

 

We can see the back door pull up oci.dll

 

 

 

 

MSDTC service is not unique domain environment, the default will start the MSDTC service under a workgroup environment

The method applies not only to use a domain environment, the workgroup environment is equally applicable

 

Down the right to use:

msdtc -install

 

 

 

For ordinary users host recommended to disable MSDTC service

 

 

 

reference:

https://blog.trendmicro.com/trendlabs-security-intelligence/shadow-force-uses-dll-hijacking-targets-south-korean-company/

https://www.4hou.com/system/6890.html

 




Guess you like

Origin www.cnblogs.com/-qing-/p/11601618.html
Recommended
Ranking
Empire cms smart tag calls four first-level recommended articles, starting from the fourth article
Linux environment installation and configuration Elasticsearch7.17
Big Data processing architecture and Lambda Kappa architecture
Explore the top of the AI large model platform - Wenxin Qianfan
Beijing car PK10 lucky airship Guanya size and value of the odd and even tips
W3B x Sui Hacker House|In-depth understanding of Sui and Move language
Know almost Ko Chan: Chinese what any decent open source software products? (Finishing from my original answer)
Comprehensively improve AD domain security authentication | Zhuyun IDaaS
Android Update Engine Analysis (24) What happened when making the downgrade package?
Spark Architecture and Operating Mechanism (1) - System Architecture
Daily
More
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)

Code World

© 2018 codetd.com