How does the MSDTC service backdoor work for persistence?

The MSDTC service (Distributed Transaction Coordinator) automatically attempts to load three DLLs from the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSDTC\MTxOCI`, including `oci.dll` which is not present in Windows by default. Attackers place a malicious DLL named `oci.dll` in `%windir%\system32\`, and when the MSDTC service starts (by default in both domain and workgroup environments), it loads the DLL with SYSTEM privileges, achieving persistence. This technique was used by the Shadow Force group and bypasses Autoruns detection. For full details, see Use msdtc to maintain persistence.