This is just a note to reference what I posted on Twitter earlier today.

According to Flash Player Admin Guide (‘Background updates from an internal server’ section), you can create a mms.cfg file with the following content:

AutoUpdateDisable=0 
SilentAutoUpdateEnable=1 
SilentAutoUpdateServerDomain=<your serv> 

Once installed, Flash will be updating from the server provided in the config. It could be a lolbin/persistence/covert channel opportunity. I have not tested it. Also, note that Flash is dying, so this is probably not that important.

In any case though, if you spot mmc.cfg file you may want to inspect it. Procmon tells me that these are possible locations:

• C:\Windows\System32\mms.cfg
• C:\Windows\SysWOW64\mms.cfg
• C:\Windows\SysWOW64\Macromed\Flash\mms.cfg