What is OCI.DLL service persistence and how does it achieve auto-start via MSDTC?

OCI.DLL service persistence exploits the Microsoft Distributed Transaction Coordinator (MSDTC) service, which automatically searches specific directories for DLLs upon startup. By placing a malicious DLL in `C:\Windows\System32\` or `C:\Windows\System32\wbem\`, the backdoor loads every time the service starts. This method, used by Shadow Force and documented in the CIA Vault7 RDB analysis, is effective in both domain and non-domain environments. For a related persistence technique using Waitfor.exe, see Use Waitfor.exe to maintain persistence.