Applying update b8e6d35

_entries/microsoft/built-in/cryptbase.md

@@ -223,17 +223,26 @@ VulnerableExecutables:
     Type: Authenticode
   SHA256:
   - 6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495
+- Path: '%PROGRAMFILES%\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog35.exe'
+  Type: Sideloading
+  ExpectedSignatureInformation:
+  - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Type: Catalog
 Resources:
 - https://wietze.github.io/blog/hijacking-dlls-in-windows
 - https://securityintelligence.com/posts/windows-features-dll-sideloading/
 - https://github.com/xforcered/WFH
 - https://twitter.com/AndrewOliveau/status/1682185200862625792
+- https://twitter.com/BSummerz/status/1860045985919205645
 Acknowledgements:
 - Name: Wietze
   Twitter: '@wietze'
 - Name: Chris Spehn
   Twitter: '@ConsciousHacker'
 - Name: Andrew Oliveau
   Twitter: '@AndrewOliveau'
+- Name: Will Summerhill
+  Twitter: '@BSummerz'
 ---
 

_entries/microsoft/built-in/cryptnet.md

@@ -0,0 +1,26 @@
+---
+Name: cryptnet.dll
+Author: Will Summerhill
+Created: 2024-11-22
+Vendor: Microsoft
+ExpectedLocations:
+- '%SYSTEM32%'
+- '%SYSWOW64%'
+ExpectedSignatureInformation:
+- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+  Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+  Type: Catalog
+VulnerableExecutables:
+- Path: '%PROGRAMFILES%\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog35.exe'
+  Type: Sideloading
+  ExpectedSignatureInformation:
+  - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Type: Catalog
+Resources:
+- https://twitter.com/BSummerz/status/1860045985919205645
+Acknowledgements:
+- Name: Will Summerhill
+  Twitter: '@BSummerz'
+---
+

_entries/microsoft/built-in/iphlpapi.md

@@ -216,6 +216,12 @@ VulnerableExecutables:
     Type: Authenticode
   SHA256:
   - 6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495
+- Path: '%PROGRAMFILES%\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog35.exe'
+  Type: Sideloading
+  ExpectedSignatureInformation:
+  - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Type: Catalog
 Resources:
 - https://wietze.github.io/blog/hijacking-dlls-in-windows
 - https://wietze.github.io/blog/save-the-environment-variables
@@ -224,6 +230,7 @@ Resources:
 - https://github.com/xforcered/WFH
 - https://twitter.com/AndrewOliveau/status/1682185200862625792
 - https://x00.zip/playing-with-process-handles/
+- https://twitter.com/BSummerz/status/1860045985919205645
 Acknowledgements:
 - Name: Wietze
   Twitter: '@wietze'
@@ -235,5 +242,7 @@ Acknowledgements:
   Twitter: '@AndrewOliveau'
 - Name: Tim Peck
   Twitter: '@B0bby_Tablez'
+- Name: Will Summerhill
+  Twitter: '@BSummerz'
 ---
 

_entries/microsoft/built-in/profapi.md

@@ -75,11 +75,20 @@ VulnerableExecutables:
   - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
     Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
     Type: Catalog
+- Path: '%PROGRAMFILES%\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog35.exe'
+  Type: Sideloading
+  ExpectedSignatureInformation:
+  - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Type: Catalog
 Resources:
 - https://securityintelligence.com/posts/windows-features-dll-sideloading/
 - https://github.com/xforcered/WFH
+- https://twitter.com/BSummerz/status/1860045985919205645
 Acknowledgements:
 - Name: Chris Spehn
   Twitter: '@ConsciousHacker'
+- Name: Will Summerhill
+  Twitter: '@BSummerz'
 ---