From 065594b269458bfd386aa84b069b205e560c0b9c Mon Sep 17 00:00:00 2001
From: Will Summerhill <35749735+wsummerhill@users.noreply.github.com>
Date: Fri, 22 Nov 2024 14:49:16 -0500
Subject: [PATCH] Update cryptbase.yml

Add Microsoft.BDD.Catalog35.exe
---
 yml/microsoft/built-in/cryptbase.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/yml/microsoft/built-in/cryptbase.yml b/yml/microsoft/built-in/cryptbase.yml
index 84bae784..4148c0c6 100644
--- a/yml/microsoft/built-in/cryptbase.yml
+++ b/yml/microsoft/built-in/cryptbase.yml
@@ -223,11 +223,18 @@ VulnerableExecutables:
     Type: Authenticode
   SHA256:
   - 6511ef24c41cf20f707119dd40971420f1cd6f97f0e888b7d24b5e0dec9d5495
+- Path: 'C:\Program Files\Microsoft Deployment Toolkit\Bin\Microsoft.BDD.Catalog35.exe'
+  Type: Sideloading
+  ExpectedSignatureInformation:
+  - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Type: Catalog
 Resources:
 - https://wietze.github.io/blog/hijacking-dlls-in-windows
 - https://securityintelligence.com/posts/windows-features-dll-sideloading/
 - https://github.com/xforcered/WFH
 - https://twitter.com/AndrewOliveau/status/1682185200862625792
+- https://x.com/BSummerz/status/1860045985919205645
 Acknowledgements:
 - Name: Wietze
   Twitter: '@wietze'
@@ -235,3 +242,5 @@ Acknowledgements:
   Twitter: '@ConsciousHacker'
 - Name: Andrew Oliveau
   Twitter: '@AndrewOliveau'
+- Name: Will Summerhill
+  Twitter: '@BSummerz'