Update cryptbase.yml

Add Microsoft.BDD.Catalog35.exe
wietze · Nov 22, 2024 · 065594b · 065594b
1 parent 73f4101
commit 065594b
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/yml/microsoft/built-in/cryptbase.yml b/yml/microsoft/built-in/cryptbase.yml
@@ -223,15 +223,24 @@ VulnerableExecutables:
     Type: Authenticode
   SHA256:
   - 6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495
+- Path: 'C:\Program Files\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog35.exe'
+  Type: Sideloading
+  ExpectedSignatureInformation:
+  - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Type: Catalog
 Resources:
 - https://wietze.github.io/blog/hijacking-dlls-in-windows
 - https://securityintelligence.com/posts/windows-features-dll-sideloading/
 - https://github.com/xforcered/WFH
 - https://twitter.com/AndrewOliveau/status/1682185200862625792
+- https://x.com/BSummerz/status/1860045985919205645
 Acknowledgements:
 - Name: Wietze
   Twitter: '@wietze'
 - Name: Chris Spehn
   Twitter: '@ConsciousHacker'
 - Name: Andrew Oliveau
   Twitter: '@AndrewOliveau'
+- Name: Will Summerhill
+  Twitter: '@BSummerz'