So i found another persistance method in wikileaks Dump(Vault 7) that is formly used by infamous APT(Advanced Persistance Threat) group.

APT implemented this Persistance method in their 'Hikit' rootkit.

Lets Understand what it is ~

Windows contains a service called “Distributed Transaction Coordinator” that is configured to “Manual” start by default. This service causes a DLL called “C:\Windows\System32\wbem\oci.dll” to load into the “Network Services” group. By placing our own DLL in this location and configuring the service to start automatially, we have a persistence mechanism with system privileges.

Unfortunately, the service runs under the “Network Service” account, which is a restricted account that has privileges to access the network. Hikit changes the user account to SYSTEM when it uses this for persistence. We can perform this same trick, but it will probably be flagged by PSPs.

now this is really awesome trick to get privilege escalation easily .

Problems ~

but now as it got Public and been in AV Products . also we got to check if this DLL won't crashes the system.

Hope you liked it.


Popular Posts