You are browsing the archive for Living off the land.

Beyond good ol’ Run key, Part 91

October 10, 2018 in Anti-Forensics, Autostart (Persistence), LOLBins

This is a mixed persistence trick/LOLBIN.

There is a program in the Windows system directory that is very rarely used: dmcfghost.exe. As far as I can tell it has something to do with OMA Client Provisioning (CP) protocol (the internal name of the program states: ‘Host Process for Push Router Client of OMA-CP’).

When you run it, if everything goes as planned (I don’t understand the logic inside the program, but it looks like running it on win 10 always returns success internally), it will load a DLL from the following registry entry:

  • HKLM\SOFTWARE\Microsoft\PushRouter\
    Test\TestDllPath2=<DLL>

So, adding e.g. a Run key pointing to dmcfghost.exe will ensure that this binary is loaded every time user logs on, and the ‘test’ DLL will load as well.

acw.exe – perhaps the last true Lolbin standing…

August 19, 2018 in Living off the land, LOLBins

As I mentioned I won’t be covering lolbins anymore until I find something new/interesting.

I guess an OS-native rundll32.exe replacement is kinda interesting, especially that it seems to be present by default on some Windows Server installations (e.g. 2008) and sometimes is installed by other software.

The binary in question is part of a Guided Help a.k.a. Active Content Wizard component and the .exe in question is acw.exe.

It has a nice command line argument that allows us to load and execute any DLL:

  • %systemroot%\system32\acw.exe -Extensions <dll>

Known locations of acw.exe are:

  • c:\Program Files\ACW\acw.exe
  • c:\windows\system32\acw.exe
  • c:\windows\syswow64\acw.exe