Beyond good ol’ Run key, Part 91

October 10, 2018 in Anti-Forensics, Autostart (Persistence), LOLBins

This is a mixed persistence trick/LOLBIN.

There is a program in the Windows system directory that is very rarely used: dmcfghost.exe. As far as I can tell it has something to do with OMA Client Provisioning (CP) protocol (the internal name of the program states: ‘Host Process for Push Router Client of OMA-CP’).

When you run it, if everything goes as planned (I don’t understand the logic inside the program, but it looks like running it on win 10 always returns success internally), it will load a DLL from the following registry entry:

  • HKLM\SOFTWARE\Microsoft\PushRouter\

So, adding e.g. a Run key pointing to dmcfghost.exe will ensure that this binary is loaded every time user logs on, and the ‘test’ DLL will load as well.

Comments are closed.