Flash Player & Background updates from an internal server via mms.cfg

May 13, 2020 in Autostart (Persistence), Forensic Analysis, Living off the land, LOLBins, Random ideas

This is just a note to reference what I posted on Twitter earlier today.

According to Flash Player Admin Guide (‘Background updates from an internal server’ section), you can create a mms.cfg file with the following content:

AutoUpdateDisable=0 
SilentAutoUpdateEnable=1
SilentAutoUpdateServerDomain=<your serv>

Once installed, Flash will be updating from the server provided in the config. It could be a lolbin/persistence/covert channel opportunity. I have not tested it. Also, note that Flash is dying, so this is probably not that important.

In any case though, if you spot mmc.cfg file you may want to inspect it. Procmon tells me that these are possible locations:

  • C:\Windows\System32\mms.cfg
  • C:\Windows\SysWOW64\mms.cfg
  • C:\Windows\SysWOW64\Macromed\Flash\mms.cfg
Share this :)

Comments are closed.