From b8e6d35f46013dd94026b17c6c4709ec63282f71 Mon Sep 17 00:00:00 2001 From: Will Summerhill <35749735+wsummerhill@users.noreply.github.com> Date: Sun, 24 Nov 2024 13:45:28 -0500 Subject: [PATCH] Add Microsoft.BDD.Catalog35.exe DLL sideloads (#94) Co-authored-by: unknown <35749735+wsummerhill@users.noreply.github.om> --- yml/microsoft/built-in/cryptbase.yml | 9 +++++++++ yml/microsoft/built-in/cryptnet.yml | 24 ++++++++++++++++++++++++ yml/microsoft/built-in/iphlpapi.yml | 9 +++++++++ yml/microsoft/built-in/profapi.yml | 9 +++++++++ 4 files changed, 51 insertions(+) create mode 100644 yml/microsoft/built-in/cryptnet.yml diff --git a/yml/microsoft/built-in/cryptbase.yml b/yml/microsoft/built-in/cryptbase.yml index 84bae784..3166d201 100644 --- a/yml/microsoft/built-in/cryptbase.yml +++ b/yml/microsoft/built-in/cryptbase.yml @@ -223,11 +223,18 @@ VulnerableExecutables: Type: Authenticode SHA256: - 6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495 +- Path: '%PROGRAMFILES%\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog35.exe' + Type: Sideloading + ExpectedSignatureInformation: + - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Type: Catalog Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://securityintelligence.com/posts/windows-features-dll-sideloading/ - https://github.com/xforcered/WFH - https://twitter.com/AndrewOliveau/status/1682185200862625792 +- https://twitter.com/BSummerz/status/1860045985919205645 Acknowledgements: - Name: Wietze Twitter: '@wietze' @@ -235,3 +242,5 @@ Acknowledgements: Twitter: '@ConsciousHacker' - Name: Andrew Oliveau Twitter: '@AndrewOliveau' +- Name: Will Summerhill + Twitter: '@BSummerz' diff --git a/yml/microsoft/built-in/cryptnet.yml b/yml/microsoft/built-in/cryptnet.yml new file mode 100644 index 00000000..9deddbc8 --- /dev/null +++ b/yml/microsoft/built-in/cryptnet.yml @@ -0,0 +1,24 @@ +--- +Name: cryptnet.dll +Author: Will Summerhill +Created: 2024-11-22 +Vendor: Microsoft +ExpectedLocations: +- '%SYSTEM32%' +- '%SYSWOW64%' +ExpectedSignatureInformation: +- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Type: Catalog +VulnerableExecutables: +- Path: '%PROGRAMFILES%\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog35.exe' + Type: Sideloading + ExpectedSignatureInformation: + - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Type: Catalog +Resources: +- https://twitter.com/BSummerz/status/1860045985919205645 +Acknowledgements: +- Name: Will Summerhill + Twitter: '@BSummerz' diff --git a/yml/microsoft/built-in/iphlpapi.yml b/yml/microsoft/built-in/iphlpapi.yml index 0b733010..09712f68 100644 --- a/yml/microsoft/built-in/iphlpapi.yml +++ b/yml/microsoft/built-in/iphlpapi.yml @@ -216,6 +216,12 @@ VulnerableExecutables: Type: Authenticode SHA256: - 6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495 +- Path: '%PROGRAMFILES%\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog35.exe' + Type: Sideloading + ExpectedSignatureInformation: + - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Type: Catalog Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables @@ -224,6 +230,7 @@ Resources: - https://github.com/xforcered/WFH - https://twitter.com/AndrewOliveau/status/1682185200862625792 - https://x00.zip/playing-with-process-handles/ +- https://twitter.com/BSummerz/status/1860045985919205645 Acknowledgements: - Name: Wietze Twitter: '@wietze' @@ -235,3 +242,5 @@ Acknowledgements: Twitter: '@AndrewOliveau' - Name: Tim Peck Twitter: '@B0bby_Tablez' +- Name: Will Summerhill + Twitter: '@BSummerz' diff --git a/yml/microsoft/built-in/profapi.yml b/yml/microsoft/built-in/profapi.yml index b4ba09da..2441aa27 100644 --- a/yml/microsoft/built-in/profapi.yml +++ b/yml/microsoft/built-in/profapi.yml @@ -75,9 +75,18 @@ VulnerableExecutables: - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US Type: Catalog +- Path: '%PROGRAMFILES%\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog35.exe' + Type: Sideloading + ExpectedSignatureInformation: + - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US + Type: Catalog Resources: - https://securityintelligence.com/posts/windows-features-dll-sideloading/ - https://github.com/xforcered/WFH +- https://twitter.com/BSummerz/status/1860045985919205645 Acknowledgements: - Name: Chris Spehn Twitter: '@ConsciousHacker' +- Name: Will Summerhill + Twitter: '@BSummerz'