diff --git a/_entries/microsoft/built-in/cryptbase.md b/_entries/microsoft/built-in/cryptbase.md index 8790e75..6ed88c0 100644 --- a/_entries/microsoft/built-in/cryptbase.md +++ b/_entries/microsoft/built-in/cryptbase.md @@ -223,11 +223,18 @@ VulnerableExecutables: Type: Authenticode SHA256: - 6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495 +- Path: '%PROGRAMFILES%\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog35.exe' + Type: Sideloading + ExpectedSignatureInformation: + - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Type: Catalog Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://securityintelligence.com/posts/windows-features-dll-sideloading/ - https://github.com/xforcered/WFH - https://twitter.com/AndrewOliveau/status/1682185200862625792 +- https://twitter.com/BSummerz/status/1860045985919205645 Acknowledgements: - Name: Wietze Twitter: '@wietze' @@ -235,5 +242,7 @@ Acknowledgements: Twitter: '@ConsciousHacker' - Name: Andrew Oliveau Twitter: '@AndrewOliveau' +- Name: Will Summerhill + Twitter: '@BSummerz' --- diff --git a/_entries/microsoft/built-in/cryptnet.md b/_entries/microsoft/built-in/cryptnet.md new file mode 100644 index 0000000..b514965 --- /dev/null +++ b/_entries/microsoft/built-in/cryptnet.md @@ -0,0 +1,26 @@ +--- +Name: cryptnet.dll +Author: Will Summerhill +Created: 2024-11-22 +Vendor: Microsoft +ExpectedLocations: +- '%SYSTEM32%' +- '%SYSWOW64%' +ExpectedSignatureInformation: +- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Type: Catalog +VulnerableExecutables: +- Path: '%PROGRAMFILES%\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog35.exe' + Type: Sideloading + ExpectedSignatureInformation: + - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Type: Catalog +Resources: +- https://twitter.com/BSummerz/status/1860045985919205645 +Acknowledgements: +- Name: Will Summerhill + Twitter: '@BSummerz' +--- + diff --git a/_entries/microsoft/built-in/iphlpapi.md b/_entries/microsoft/built-in/iphlpapi.md index 8641b16..21c4050 100644 --- a/_entries/microsoft/built-in/iphlpapi.md +++ b/_entries/microsoft/built-in/iphlpapi.md @@ -216,6 +216,12 @@ VulnerableExecutables: Type: Authenticode SHA256: - 6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495 +- Path: '%PROGRAMFILES%\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog35.exe' + Type: Sideloading + ExpectedSignatureInformation: + - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Type: Catalog Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables @@ -224,6 +230,7 @@ Resources: - https://github.com/xforcered/WFH - https://twitter.com/AndrewOliveau/status/1682185200862625792 - https://x00.zip/playing-with-process-handles/ +- https://twitter.com/BSummerz/status/1860045985919205645 Acknowledgements: - Name: Wietze Twitter: '@wietze' @@ -235,5 +242,7 @@ Acknowledgements: Twitter: '@AndrewOliveau' - Name: Tim Peck Twitter: '@B0bby_Tablez' +- Name: Will Summerhill + Twitter: '@BSummerz' --- diff --git a/_entries/microsoft/built-in/profapi.md b/_entries/microsoft/built-in/profapi.md index 9bfeecf..75034db 100644 --- a/_entries/microsoft/built-in/profapi.md +++ b/_entries/microsoft/built-in/profapi.md @@ -75,11 +75,20 @@ VulnerableExecutables: - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US Type: Catalog +- Path: '%PROGRAMFILES%\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog35.exe' + Type: Sideloading + ExpectedSignatureInformation: + - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Type: Catalog Resources: - https://securityintelligence.com/posts/windows-features-dll-sideloading/ - https://github.com/xforcered/WFH +- https://twitter.com/BSummerz/status/1860045985919205645 Acknowledgements: - Name: Chris Spehn Twitter: '@ConsciousHacker' +- Name: Will Summerhill + Twitter: '@BSummerz' ---