diff --git a/yml/microsoft/built-in/aclui.yml b/yml/microsoft/built-in/aclui.yml new file mode 100644 index 00000000..d18f643b --- /dev/null +++ b/yml/microsoft/built-in/aclui.yml @@ -0,0 +1,17 @@ +--- +Name: aclui.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\shrpubw.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/activeds.yml b/yml/microsoft/built-in/activeds.yml index f06ed3a1..7a57184a 100644 --- a/yml/microsoft/built-in/activeds.yml +++ b/yml/microsoft/built-in/activeds.yml @@ -7,10 +7,26 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\applysettingstemplatecatalog.exe' + Type: Sideloading - Path: '%SYSTEM32%\agentservice.exe' Type: Sideloading + - Path: '%SYSTEM32%\dsadd.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsget.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsmod.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsrm.exe' + Type: Sideloading + - Path: '%SYSTEM32%\gpfixup.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/apphelp.yml b/yml/microsoft/built-in/apphelp.yml index 433a9ff9..a88139af 100644 --- a/yml/microsoft/built-in/apphelp.yml +++ b/yml/microsoft/built-in/apphelp.yml @@ -9,11 +9,17 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\compmgmtlauncher.exe' Type: Sideloading + - Path: '%SYSTEM32%\sdbinst.exe' + Type: Sideloading - Path: '%WINDIR%\explorer.exe' Type: Search Order Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/appvpolicy.yml b/yml/microsoft/built-in/appvpolicy.yml new file mode 100644 index 00000000..8169fe77 --- /dev/null +++ b/yml/microsoft/built-in/appvpolicy.yml @@ -0,0 +1,16 @@ +--- +Name: appvpolicy.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\appvclient.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/atl.yml b/yml/microsoft/built-in/atl.yml index 19047a6b..a3490d01 100644 --- a/yml/microsoft/built-in/atl.yml +++ b/yml/microsoft/built-in/atl.yml @@ -7,6 +7,10 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\dsquery.exe' + Type: Sideloading + - Path: '%SYSTEM32%\filescrn.exe' + Type: Sideloading - Path: '%SYSTEM32%\msconfig.exe' Type: Sideloading AutoElevate: true @@ -20,6 +24,8 @@ VulnerableExecutables: AutoElevate: true - Path: '%SYSTEM32%\quickassist.exe' Type: Sideloading + - Path: '%SYSTEM32%\storrept.exe' + Type: Sideloading - Path: '%SYSTEM32%\vds.exe' Type: Sideloading - Path: '%SYSTEM32%\vdsldr.exe' @@ -30,6 +36,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/batmeter.yml b/yml/microsoft/built-in/batmeter.yml new file mode 100644 index 00000000..4d8d7115 --- /dev/null +++ b/yml/microsoft/built-in/batmeter.yml @@ -0,0 +1,17 @@ +--- +Name: batmeter.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\mblctr.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/bcd.yml b/yml/microsoft/built-in/bcd.yml index 4b52e9bc..30c577a1 100644 --- a/yml/microsoft/built-in/bcd.yml +++ b/yml/microsoft/built-in/bcd.yml @@ -9,6 +9,8 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\bootim.exe' Type: Sideloading + - Path: '%SYSTEM32%\cidiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\genvalobj.exe' Type: Sideloading - Path: '%SYSTEM32%\mdsched.exe' @@ -20,6 +22,8 @@ VulnerableExecutables: - Path: '%SYSTEM32%\recdisc.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' Type: Sideloading - Path: '%SYSTEM32%\rstrui.exe' @@ -61,6 +65,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/bootux.yml b/yml/microsoft/built-in/bootux.yml new file mode 100644 index 00000000..92a8d332 --- /dev/null +++ b/yml/microsoft/built-in/bootux.yml @@ -0,0 +1,16 @@ +--- +Name: bootux.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\bootim.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/cabinet.yml b/yml/microsoft/built-in/cabinet.yml index 128139a9..4964f084 100644 --- a/yml/microsoft/built-in/cabinet.yml +++ b/yml/microsoft/built-in/cabinet.yml @@ -17,6 +17,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\extrac32.exe' Type: Sideloading +- Path: '%SYSTEM32%\iesettingsync.exe' + Type: Sideloading - Path: '%SYSTEM32%\licensingdiag.exe' Type: Sideloading - Path: '%SYSTEM32%\makecab.exe' @@ -32,6 +34,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\plasrv.exe' Type: Sideloading +- Path: '%SYSTEM32%\pnputil.exe' + Type: Sideloading - Path: '%SYSTEM32%\reagentc.exe' Type: Sideloading - Path: '%SYSTEM32%\recdisc.exe' @@ -44,6 +48,8 @@ VulnerableExecutables: - Path: '%SYSTEM32%\sdclt.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\sihclient.exe' + Type: Sideloading - Path: '%SYSTEM32%\systemreset.exe' Type: Sideloading AutoElevate: true @@ -61,6 +67,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/certcli.yml b/yml/microsoft/built-in/certcli.yml new file mode 100644 index 00000000..815142e9 --- /dev/null +++ b/yml/microsoft/built-in/certcli.yml @@ -0,0 +1,21 @@ +--- +Name: certcli.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\certreq.exe' + Type: Sideloading + - Path: '%SYSTEM32%\certutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/certenroll.yml b/yml/microsoft/built-in/certenroll.yml index cd6656e7..46310fde 100644 --- a/yml/microsoft/built-in/certenroll.yml +++ b/yml/microsoft/built-in/certenroll.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\certenrollctrl.exe' + Type: Sideloading - Path: '%SYSTEM32%\dmcertinst.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/clusapi.yml b/yml/microsoft/built-in/clusapi.yml index ece682f5..1554fc9d 100644 --- a/yml/microsoft/built-in/clusapi.yml +++ b/yml/microsoft/built-in/clusapi.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\msdtc.exe' Type: Sideloading - Path: '%SYSTEM32%\tieringengineservice.exe' @@ -15,6 +17,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/cmutil.yml b/yml/microsoft/built-in/cmutil.yml new file mode 100644 index 00000000..66753809 --- /dev/null +++ b/yml/microsoft/built-in/cmutil.yml @@ -0,0 +1,17 @@ +--- +Name: cmutil.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\cmstp.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/configmanager2.yml b/yml/microsoft/built-in/configmanager2.yml new file mode 100644 index 00000000..52a50fb4 --- /dev/null +++ b/yml/microsoft/built-in/configmanager2.yml @@ -0,0 +1,16 @@ +--- +Name: configmanager2.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\hvsievaluator.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/coredplus.yml b/yml/microsoft/built-in/coredplus.yml new file mode 100644 index 00000000..8de90149 --- /dev/null +++ b/yml/microsoft/built-in/coredplus.yml @@ -0,0 +1,16 @@ +--- +Name: coredplus.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\omadmclient.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/coremessaging.yml b/yml/microsoft/built-in/coremessaging.yml index 8ce9f9cb..98630a31 100644 --- a/yml/microsoft/built-in/coremessaging.yml +++ b/yml/microsoft/built-in/coremessaging.yml @@ -9,8 +9,14 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\dwm.exe' Type: Sideloading + - Path: '%SYSTEM32%\sihost.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/coreuicomponents.yml b/yml/microsoft/built-in/coreuicomponents.yml new file mode 100644 index 00000000..06a0917c --- /dev/null +++ b/yml/microsoft/built-in/coreuicomponents.yml @@ -0,0 +1,17 @@ +--- +Name: coreuicomponents.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\dwm.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/credui.yml b/yml/microsoft/built-in/credui.yml index ca71ad2b..04514841 100644 --- a/yml/microsoft/built-in/credui.yml +++ b/yml/microsoft/built-in/credui.yml @@ -11,8 +11,16 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\fxssvc.exe' Type: Sideloading +- Path: '%SYSTEM32%\gpfixup.exe' + Type: Sideloading +- Path: '%SYSTEM32%\licmgr.exe' + Type: Sideloading - Path: '%SYSTEM32%\mstsc.exe' Type: Sideloading +- Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading +- Path: '%SYSTEM32%\nlbmgr.exe' + Type: Sideloading - Path: '%SYSTEM32%\perfmon.exe' Type: Sideloading AutoElevate: true @@ -20,6 +28,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\rpcping.exe' Type: Sideloading +- Path: '%SYSTEM32%\runas.exe' + Type: Sideloading - Path: '%SYSTEM32%\systempropertiesadvanced.exe' Type: Sideloading AutoElevate: true @@ -38,6 +48,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/cryptbase.yml b/yml/microsoft/built-in/cryptbase.yml index 64d45b5d..bb416e44 100644 --- a/yml/microsoft/built-in/cryptbase.yml +++ b/yml/microsoft/built-in/cryptbase.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\alg.exe' + Type: Sideloading - Path: '%SYSTEM32%\calc.exe' Type: Sideloading - Path: '%SYSTEM32%\compmgmtlauncher.exe' @@ -79,6 +81,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/cryptdll.yml b/yml/microsoft/built-in/cryptdll.yml index d38188b7..7a54b06e 100644 --- a/yml/microsoft/built-in/cryptdll.yml +++ b/yml/microsoft/built-in/cryptdll.yml @@ -9,8 +9,14 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\at.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/cryptsp.yml b/yml/microsoft/built-in/cryptsp.yml new file mode 100644 index 00000000..3caa4e8b --- /dev/null +++ b/yml/microsoft/built-in/cryptsp.yml @@ -0,0 +1,33 @@ +--- +Name: cryptsp.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\bcdedit.exe' + Type: Sideloading + - Path: '%SYSTEM32%\disksnapshot.exe' + Type: Sideloading + - Path: '%SYSTEM32%\genvalobj.exe' + Type: Sideloading + - Path: '%SYSTEM32%\omadmclient.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rmactivate.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rmactivate_isv.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rmactivate_ssp.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rmactivate_ssp_isv.exe' + Type: Sideloading + - Path: '%SYSTEM32%\werfault.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/d2d1.yml b/yml/microsoft/built-in/d2d1.yml index b6aefc10..48a901c5 100644 --- a/yml/microsoft/built-in/d2d1.yml +++ b/yml/microsoft/built-in/d2d1.yml @@ -11,12 +11,22 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\dwm.exe' Type: Sideloading + - Path: '%SYSTEM32%\eoaexperiences.exe' + Type: Sideloading - Path: '%SYSTEM32%\gamepanel.exe' Type: Sideloading - Path: '%SYSTEM32%\quickassist.exe' Type: Sideloading + - Path: '%SYSTEM32%\vsgraphicsdesktopengine.exe' + Type: Sideloading + - Path: '%SYSTEM32%\vsgraphicsremoteengine.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/d3d11.yml b/yml/microsoft/built-in/d3d11.yml index 2440c2ab..730fce1c 100644 --- a/yml/microsoft/built-in/d3d11.yml +++ b/yml/microsoft/built-in/d3d11.yml @@ -11,6 +11,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\dwm.exe' Type: Sideloading + - Path: '%SYSTEM32%\dxcap.exe' + Type: Sideloading - Path: '%SYSTEM32%\dxgiadaptercache.exe' Type: Sideloading - Path: '%SYSTEM32%\gamepanel.exe' @@ -25,11 +27,19 @@ VulnerableExecutables: - Path: '%SYSTEM32%\taskmgr.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\vsgraphicsdesktopengine.exe' + Type: Sideloading + - Path: '%SYSTEM32%\vsgraphicsremoteengine.exe' + Type: Sideloading - Path: '%SYSTEM32%\winsat.exe' Type: Sideloading AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dbghelp.yml b/yml/microsoft/built-in/dbghelp.yml index 0b050589..109e007a 100644 --- a/yml/microsoft/built-in/dbghelp.yml +++ b/yml/microsoft/built-in/dbghelp.yml @@ -21,10 +21,16 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\bootim.exe' Type: Sideloading +- Path: '%SYSTEM32%\dxcap.exe' + Type: Sideloading - Path: '%SYSTEM32%\taskkill.exe' Type: Sideloading - Path: '%SYSTEM32%\tasklist.exe' Type: Sideloading +- Path: '%SYSTEM32%\tracerpt.exe' + Type: Sideloading +- Path: '%SYSTEM32%\werfault.exe' + Type: Sideloading - Path: '%SYSTEM32%\bdehdcfg.exe' Type: Environment Variable Variable: WINDIR @@ -61,6 +67,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dcomp.yml b/yml/microsoft/built-in/dcomp.yml index 34ed7e99..2d47f9cc 100644 --- a/yml/microsoft/built-in/dcomp.yml +++ b/yml/microsoft/built-in/dcomp.yml @@ -7,12 +7,18 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\dataexchangehost.exe' + Type: Sideloading - Path: '%SYSTEM32%\gamepanel.exe' Type: Sideloading - Path: '%SYSTEM32%\quickassist.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/deviceassociation.yml b/yml/microsoft/built-in/deviceassociation.yml index b98adee1..6bf3fd80 100644 --- a/yml/microsoft/built-in/deviceassociation.yml +++ b/yml/microsoft/built-in/deviceassociation.yml @@ -9,8 +9,14 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\eduprintprov.exe' Type: Sideloading + - Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/devobj.yml b/yml/microsoft/built-in/devobj.yml index 92032d4c..4ddd3145 100644 --- a/yml/microsoft/built-in/devobj.yml +++ b/yml/microsoft/built-in/devobj.yml @@ -43,6 +43,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\osk.exe' Type: Sideloading + - Path: '%SYSTEM32%\pnputil.exe' + Type: Sideloading - Path: '%SYSTEM32%\rdpclip.exe' Type: Sideloading - Path: '%SYSTEM32%\recover.exe' @@ -51,12 +53,18 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\tabcal.exe' Type: Sideloading + - Path: '%SYSTEM32%\vsgraphicsdesktopengine.exe' + Type: Sideloading - Path: '%SYSTEM32%\vssvc.exe' Type: Sideloading - Path: '%SYSTEM32%\workfolders.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dhcpcsvc.yml b/yml/microsoft/built-in/dhcpcsvc.yml index 8f7aefd5..2a6f058b 100644 --- a/yml/microsoft/built-in/dhcpcsvc.yml +++ b/yml/microsoft/built-in/dhcpcsvc.yml @@ -7,12 +7,18 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\ipconfig.exe' + Type: Sideloading - Path: '%SYSTEM32%\netiougc.exe' Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dhcpcsvc6.yml b/yml/microsoft/built-in/dhcpcsvc6.yml index 3e7627d4..8c18b3fc 100644 --- a/yml/microsoft/built-in/dhcpcsvc6.yml +++ b/yml/microsoft/built-in/dhcpcsvc6.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\ipconfig.exe' + Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dismapi.yml b/yml/microsoft/built-in/dismapi.yml index 053b6060..f6b2c57b 100644 --- a/yml/microsoft/built-in/dismapi.yml +++ b/yml/microsoft/built-in/dismapi.yml @@ -11,6 +11,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\deploymentcsphelper.exe' Type: Sideloading + - Path: '%SYSTEM32%\directxdatabaseupdater.exe' + Type: Sideloading - Path: '%SYSTEM32%\hvsievaluator.exe' Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' @@ -23,6 +25,10 @@ VulnerableExecutables: AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dmcmnutils.yml b/yml/microsoft/built-in/dmcmnutils.yml index b9fa5d60..d168c309 100644 --- a/yml/microsoft/built-in/dmcmnutils.yml +++ b/yml/microsoft/built-in/dmcmnutils.yml @@ -25,6 +25,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\mdmdiagnosticstool.exe' Type: Sideloading + - Path: '%SYSTEM32%\mousocoreworker.exe' + Type: Sideloading - Path: '%SYSTEM32%\musnotificationux.exe' Type: Sideloading - Path: '%SYSTEM32%\musnotifyicon.exe' @@ -37,6 +39,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dmcommandlineutils.yml b/yml/microsoft/built-in/dmcommandlineutils.yml new file mode 100644 index 00000000..d1f225ac --- /dev/null +++ b/yml/microsoft/built-in/dmcommandlineutils.yml @@ -0,0 +1,17 @@ +--- +Name: dmcommandlineutils.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\provtool.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dmenrollengine.yml b/yml/microsoft/built-in/dmenrollengine.yml index 7970a04f..09aad8a1 100644 --- a/yml/microsoft/built-in/dmenrollengine.yml +++ b/yml/microsoft/built-in/dmenrollengine.yml @@ -11,6 +11,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\dmomacpmo.exe' Type: Sideloading + - Path: '%SYSTEM32%\mdmagent.exe' + Type: Sideloading - Path: '%SYSTEM32%\mdmappinstaller.exe' Type: Sideloading - Path: '%SYSTEM32%\mdmdiagnosticstool.exe' @@ -21,6 +23,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dmiso8601utils.yml b/yml/microsoft/built-in/dmiso8601utils.yml index ee054a39..fec8f7ed 100644 --- a/yml/microsoft/built-in/dmiso8601utils.yml +++ b/yml/microsoft/built-in/dmiso8601utils.yml @@ -9,12 +9,18 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\mdmdiagnosticstool.exe' Type: Sideloading + - Path: '%SYSTEM32%\mousocoreworker.exe' + Type: Sideloading - Path: '%SYSTEM32%\omadmclient.exe' Type: Sideloading - Path: '%SYSTEM32%\usocoreworker.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dmpushproxy.yml b/yml/microsoft/built-in/dmpushproxy.yml index 5883f522..7b2f7f66 100644 --- a/yml/microsoft/built-in/dmpushproxy.yml +++ b/yml/microsoft/built-in/dmpushproxy.yml @@ -9,8 +9,14 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\dmcfghost.exe' Type: Sideloading + - Path: '%SYSTEM32%\omadmrpc.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dnsapi.yml b/yml/microsoft/built-in/dnsapi.yml index 8d35526e..e6754389 100644 --- a/yml/microsoft/built-in/dnsapi.yml +++ b/yml/microsoft/built-in/dnsapi.yml @@ -9,20 +9,34 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\checknetisolation.exe' Type: Sideloading + - Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dnscmd.exe' + Type: Sideloading - Path: '%SYSTEM32%\edpcleanup.exe' Type: Sideloading + - Path: '%SYSTEM32%\ipconfig.exe' + Type: Sideloading - Path: '%SYSTEM32%\lpremove.exe' Type: Sideloading - Path: '%SYSTEM32%\msdtc.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading - Path: '%SYSTEM32%\nslookup.exe' Type: Sideloading + - Path: '%SYSTEM32%\rendom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading - Path: '%SYSTEM32%\securityhealthservice.exe' Type: Sideloading - Path: '%SYSTEM32%\setupugc.exe' Type: Sideloading + - Path: '%SYSTEM32%\sihclient.exe' + Type: Sideloading - Path: '%SYSTEM32%\spoolsv.exe' Type: Sideloading - Path: '%SYSTEM32%\sppextcomobj.exe' @@ -41,6 +55,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/drvstore.yml b/yml/microsoft/built-in/drvstore.yml new file mode 100644 index 00000000..0b158bcc --- /dev/null +++ b/yml/microsoft/built-in/drvstore.yml @@ -0,0 +1,19 @@ +--- +Name: drvstore.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\infdefaultinstall.exe' + Type: Sideloading + - Path: '%SYSTEM32%\securityhealthservice.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dsparse.yml b/yml/microsoft/built-in/dsparse.yml index 87ce4f4e..a5d7fe63 100644 --- a/yml/microsoft/built-in/dsparse.yml +++ b/yml/microsoft/built-in/dsparse.yml @@ -7,10 +7,22 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\dmcertinst.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rendom.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dsprop.yml b/yml/microsoft/built-in/dsprop.yml new file mode 100644 index 00000000..fd023751 --- /dev/null +++ b/yml/microsoft/built-in/dsprop.yml @@ -0,0 +1,17 @@ +--- +Name: dsprop.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\dsquery.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dsreg.yml b/yml/microsoft/built-in/dsreg.yml index ccaf3a84..086fdc15 100644 --- a/yml/microsoft/built-in/dsreg.yml +++ b/yml/microsoft/built-in/dsreg.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\bitlockerdeviceencryption.exe' + Type: Sideloading - Path: '%SYSTEM32%\dsregcmd.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dsrole.yml b/yml/microsoft/built-in/dsrole.yml index 57b9a719..3d086491 100644 --- a/yml/microsoft/built-in/dsrole.yml +++ b/yml/microsoft/built-in/dsrole.yml @@ -11,15 +11,29 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\cipher.exe' Type: Sideloading +- Path: '%SYSTEM32%\csvde.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dsdbutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\efsui.exe' Type: Sideloading +- Path: '%SYSTEM32%\gpfixup.exe' + Type: Sideloading - Path: '%SYSTEM32%\net1.exe' Type: Sideloading +- Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading - Path: '%SYSTEM32%\netplwiz.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\rekeywiz.exe' Type: Sideloading +- Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading - Path: '%SYSTEM32%\systempropertiesadvanced.exe' Type: Sideloading AutoElevate: true @@ -35,6 +49,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dui70.yml b/yml/microsoft/built-in/dui70.yml index 187897c3..dd298d2e 100644 --- a/yml/microsoft/built-in/dui70.yml +++ b/yml/microsoft/built-in/dui70.yml @@ -7,17 +7,55 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\bdeunlock.exe' + Type: Sideloading +- Path: '%SYSTEM32%\camerasettings.exe' + Type: Sideloading - Path: '%SYSTEM32%\certreq.exe' Type: Sideloading +- Path: '%SYSTEM32%\dmnotificationbroker.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dpapimig.exe' + Type: Sideloading +- Path: '%SYSTEM32%\licensingui.exe' + Type: Sideloading - Path: '%SYSTEM32%\optionalfeatures.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\osk.exe' + Type: Sideloading +- Path: '%SYSTEM32%\passwordonwakesettingflyout.exe' + Type: Sideloading +- Path: '%SYSTEM32%\phoneactivate.exe' + Type: Sideloading +- Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading - Path: '%SYSTEM32%\rasphone.exe' Type: Environment Variable Variable: SYSTEMROOT +- Path: '%SYSTEM32%\sessionmsg.exe' + Type: Sideloading +- Path: '%SYSTEM32%\sethc.exe' + Type: Sideloading +- Path: '%SYSTEM32%\sysreseterr.exe' + Type: Sideloading +- Path: '%SYSTEM32%\systemsettingsadminflows.exe' + Type: Sideloading +- Path: '%SYSTEM32%\systemsettingsremovedevice.exe' + Type: Sideloading +- Path: '%SYSTEM32%\utilman.exe' + Type: Sideloading +- Path: '%SYSTEM32%\windowsactiondialog.exe' + Type: Sideloading +- Path: '%SYSTEM32%\wlrmdr.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze - Twitter: '@wietze' + Twitter: "@wietze" +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/duser.yml b/yml/microsoft/built-in/duser.yml index 950ebf85..0ddf1398 100644 --- a/yml/microsoft/built-in/duser.yml +++ b/yml/microsoft/built-in/duser.yml @@ -7,11 +7,36 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\bdeunlock.exe' + Type: Sideloading + - Path: '%SYSTEM32%\displayswitch.exe' + Type: Sideloading + - Path: '%SYSTEM32%\easeofaccessdialog.exe' + Type: Sideloading + - Path: '%SYSTEM32%\lockscreencontentserver.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mmc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\msdt.exe' + Type: Sideloading + AutoElevate: true + - Path: '%SYSTEM32%\osk.exe' + Type: Sideloading - Path: '%SYSTEM32%\rekeywiz.exe' Type: Sideloading + - Path: '%SYSTEM32%\sessionmsg.exe' + Type: Sideloading + - Path: '%SYSTEM32%\taskmgr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\utilman.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://twitter.com/0xcarnage/status/1203882560176218113 + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dwmapi.yml b/yml/microsoft/built-in/dwmapi.yml index 85811c6e..4d2d01f9 100644 --- a/yml/microsoft/built-in/dwmapi.yml +++ b/yml/microsoft/built-in/dwmapi.yml @@ -21,18 +21,30 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\lockscreencontentserver.exe' Type: Sideloading + - Path: '%SYSTEM32%\mblctr.exe' + Type: Sideloading - Path: '%SYSTEM32%\osk.exe' Type: Sideloading + - Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading - Path: '%SYSTEM32%\rdpclip.exe' Type: Sideloading - Path: '%SYSTEM32%\rdpshell.exe' Type: Sideloading - Path: '%SYSTEM32%\rdvghelper.exe' Type: Sideloading + - Path: '%SYSTEM32%\sndvol.exe' + Type: Sideloading + - Path: '%SYSTEM32%\snippingtool.exe' + Type: Sideloading - Path: '%SYSTEM32%\wmpdmc.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dxcore.yml b/yml/microsoft/built-in/dxcore.yml new file mode 100644 index 00000000..cba131cc --- /dev/null +++ b/yml/microsoft/built-in/dxcore.yml @@ -0,0 +1,17 @@ +--- +Name: dxcore.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\taskmgr.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/dxgi.yml b/yml/microsoft/built-in/dxgi.yml index 4622feaf..8a7e6cc4 100644 --- a/yml/microsoft/built-in/dxgi.yml +++ b/yml/microsoft/built-in/dxgi.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\applicationframehost.exe' + Type: Sideloading - Path: '%SYSTEM32%\dataexchangehost.exe' Type: Sideloading - Path: '%SYSTEM32%\dwm.exe' @@ -25,11 +27,17 @@ VulnerableExecutables: - Path: '%SYSTEM32%\taskmgr.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\vsgraphicsremoteengine.exe' + Type: Sideloading - Path: '%SYSTEM32%\winsat.exe' Type: Sideloading AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/edgeiso.yml b/yml/microsoft/built-in/edgeiso.yml new file mode 100644 index 00000000..c87e34e8 --- /dev/null +++ b/yml/microsoft/built-in/edgeiso.yml @@ -0,0 +1,23 @@ +--- +Name: edgeiso.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\microsoftedgebchost.exe' + Type: Sideloading + - Path: '%SYSTEM32%\microsoftedgecp.exe' + Type: Sideloading + - Path: '%SYSTEM32%\microsoftedgedevtools.exe' + Type: Sideloading + - Path: '%SYSTEM32%\microsoftedgesh.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/esent.yml b/yml/microsoft/built-in/esent.yml index 5cec9b8c..b541da84 100644 --- a/yml/microsoft/built-in/esent.yml +++ b/yml/microsoft/built-in/esent.yml @@ -7,12 +7,22 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsdbutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\esentutl.exe' Type: Sideloading - Path: '%SYSTEM32%\tieringengineservice.exe' Type: Sideloading + - Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/fltlib.yml b/yml/microsoft/built-in/fltlib.yml index b6c22bce..aa9e2b59 100644 --- a/yml/microsoft/built-in/fltlib.yml +++ b/yml/microsoft/built-in/fltlib.yml @@ -15,6 +15,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\dpiscaling.exe' Type: Sideloading + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\fltmc.exe' Type: Sideloading - Path: '%SYSTEM32%\psr.exe' @@ -36,6 +38,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/framedynos.yml b/yml/microsoft/built-in/framedynos.yml new file mode 100644 index 00000000..7a9ef35e --- /dev/null +++ b/yml/microsoft/built-in/framedynos.yml @@ -0,0 +1,25 @@ +--- +Name: framedynos.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\driverquery.exe' + Type: Sideloading + - Path: '%SYSTEM32%\getmac.exe' + Type: Sideloading + - Path: '%SYSTEM32%\openfiles.exe' + Type: Sideloading + - Path: '%SYSTEM32%\taskkill.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/fveskybackup.yml b/yml/microsoft/built-in/fveskybackup.yml new file mode 100644 index 00000000..8e743a1e --- /dev/null +++ b/yml/microsoft/built-in/fveskybackup.yml @@ -0,0 +1,16 @@ +--- +Name: fveskybackup.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\bitlockerdeviceencryption.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/fvewiz.yml b/yml/microsoft/built-in/fvewiz.yml new file mode 100644 index 00000000..7e709e62 --- /dev/null +++ b/yml/microsoft/built-in/fvewiz.yml @@ -0,0 +1,19 @@ +--- +Name: fvewiz.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\bitlockerwizard.exe' + Type: Sideloading + - Path: '%SYSTEM32%\bitlockerwizardelev.exe' + Type: Sideloading + AutoElevate: true +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/gpapi.yml b/yml/microsoft/built-in/gpapi.yml new file mode 100644 index 00000000..b1028e82 --- /dev/null +++ b/yml/microsoft/built-in/gpapi.yml @@ -0,0 +1,17 @@ +--- +Name: gpapi.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\gpapi.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/icmp.yml b/yml/microsoft/built-in/icmp.yml new file mode 100644 index 00000000..bd5a93bb --- /dev/null +++ b/yml/microsoft/built-in/icmp.yml @@ -0,0 +1,17 @@ +--- +Name: icmp.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\nlbmgr.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/iertutil.yml b/yml/microsoft/built-in/iertutil.yml index 82ce70fc..7e878bb2 100644 --- a/yml/microsoft/built-in/iertutil.yml +++ b/yml/microsoft/built-in/iertutil.yml @@ -7,16 +7,30 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\browserexport.exe' + Type: Sideloading - Path: '%SYSTEM32%\cipher.exe' Type: Sideloading + - Path: '%SYSTEM32%\iesettingsync.exe' + Type: Sideloading + - Path: '%SYSTEM32%\launchwinapp.exe' + Type: Sideloading - Path: '%SYSTEM32%\microsoftedgebchost.exe' Type: Sideloading - Path: '%SYSTEM32%\microsoftedgecp.exe' Type: Sideloading - Path: '%SYSTEM32%\microsoftedgedevtools.exe' Type: Sideloading + - Path: '%SYSTEM32%\microsoftedgesh.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wwahost.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/ifsutil.yml b/yml/microsoft/built-in/ifsutil.yml new file mode 100644 index 00000000..e211d4d0 --- /dev/null +++ b/yml/microsoft/built-in/ifsutil.yml @@ -0,0 +1,25 @@ +--- +Name: ifsutil.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\convert.exe' + Type: Sideloading + - Path: '%SYSTEM32%\fsavailux.exe' + Type: Sideloading + - Path: '%SYSTEM32%\label.exe' + Type: Sideloading + - Path: '%SYSTEM32%\recover.exe' + Type: Sideloading + - Path: '%SYSTEM32%\xcopy.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/iphlpapi.yml b/yml/microsoft/built-in/iphlpapi.yml index 0399b070..6dcf0e30 100644 --- a/yml/microsoft/built-in/iphlpapi.yml +++ b/yml/microsoft/built-in/iphlpapi.yml @@ -13,6 +13,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\datausagelivetiletask.exe' Type: Sideloading +- Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\devicecensus.exe' Type: Sideloading - Path: '%SYSTEM32%\dnscacheugc.exe' @@ -24,6 +26,10 @@ VulnerableExecutables: - Path: '%SYSTEM32%\fxsunatd.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\ipconfig.exe' + Type: Sideloading +- Path: '%SYSTEM32%\mousocoreworker.exe' + Type: Sideloading - Path: '%SYSTEM32%\msra.exe' Type: Sideloading - Path: '%SYSTEM32%\mstsc.exe' @@ -80,8 +86,12 @@ Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables - https://twitter.com/SBousseaden/status/1550903546916311043 +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' - Name: Samir Twitter: '@sbousseaden' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/iumsdk.yml b/yml/microsoft/built-in/iumsdk.yml new file mode 100644 index 00000000..098ac9f5 --- /dev/null +++ b/yml/microsoft/built-in/iumsdk.yml @@ -0,0 +1,20 @@ +--- +Name: iumsdk.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\bioiso.exe' + Type: Sideloading + - Path: '%SYSTEM32%\fsiso.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ngciso.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/ktmw32.yml b/yml/microsoft/built-in/ktmw32.yml index d445ea26..d32115ce 100644 --- a/yml/microsoft/built-in/ktmw32.yml +++ b/yml/microsoft/built-in/ktmw32.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\ktmutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\msdtc.exe' Type: Sideloading - Path: '%SYSTEM32%\mstsc.exe' @@ -22,6 +24,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/lockhostingframework.yml b/yml/microsoft/built-in/lockhostingframework.yml new file mode 100644 index 00000000..19dcfed6 --- /dev/null +++ b/yml/microsoft/built-in/lockhostingframework.yml @@ -0,0 +1,16 @@ +--- +Name: lockhostingframework.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\lockapphost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/logoncli.yml b/yml/microsoft/built-in/logoncli.yml index f08ce1cb..6c15ec1b 100644 --- a/yml/microsoft/built-in/logoncli.yml +++ b/yml/microsoft/built-in/logoncli.yml @@ -15,34 +15,60 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\chgport.exe' Type: Sideloading + - Path: '%SYSTEM32%\csvde.exe' + Type: Sideloading - Path: '%SYSTEM32%\devicecensus.exe' Type: Sideloading - Path: '%SYSTEM32%\djoin.exe' Type: Sideloading + - Path: '%SYSTEM32%\dsacls.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsmgmt.exe' + Type: Sideloading - Path: '%SYSTEM32%\dsregcmd.exe' Type: Sideloading - Path: '%SYSTEM32%\efsui.exe' Type: Sideloading + - Path: '%SYSTEM32%\gpfixup.exe' + Type: Sideloading - Path: '%SYSTEM32%\gpresult.exe' Type: Sideloading + - Path: '%SYSTEM32%\klist.exe' + Type: Sideloading - Path: '%SYSTEM32%\ksetup.exe' Type: Sideloading + - Path: '%SYSTEM32%\ldifde.exe' + Type: Sideloading - Path: '%SYSTEM32%\net1.exe' Type: Sideloading - Path: '%SYSTEM32%\nltest.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\query.exe' Type: Sideloading - Path: '%SYSTEM32%\quser.exe' Type: Sideloading - Path: '%SYSTEM32%\qwinsta.exe' Type: Sideloading + - Path: '%SYSTEM32%\redircmp.exe' + Type: Sideloading + - Path: '%SYSTEM32%\redirusr.exe' + Type: Sideloading - Path: '%SYSTEM32%\rekeywiz.exe' Type: Sideloading + - Path: '%SYSTEM32%\rendom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading - Path: '%SYSTEM32%\reset.exe' Type: Sideloading - Path: '%SYSTEM32%\rwinsta.exe' Type: Sideloading + - Path: '%SYSTEM32%\setspn.exe' + Type: Sideloading - Path: '%SYSTEM32%\systempropertiesadvanced.exe' Type: Sideloading AutoElevate: true @@ -57,6 +83,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/lrwizdll.yml b/yml/microsoft/built-in/lrwizdll.yml new file mode 100644 index 00000000..b8d63388 --- /dev/null +++ b/yml/microsoft/built-in/lrwizdll.yml @@ -0,0 +1,16 @@ +--- +Name: lrwizdll.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\licmgr.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/mbaexmlparser.yml b/yml/microsoft/built-in/mbaexmlparser.yml new file mode 100644 index 00000000..3b82e93f --- /dev/null +++ b/yml/microsoft/built-in/mbaexmlparser.yml @@ -0,0 +1,16 @@ +--- +Name: mbaexmlparser.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\mbaeparsertask.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/mfc42u.yml b/yml/microsoft/built-in/mfc42u.yml new file mode 100644 index 00000000..91f314a4 --- /dev/null +++ b/yml/microsoft/built-in/mfc42u.yml @@ -0,0 +1,41 @@ +--- +Name: mfc42u.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\devicepairingwizard.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dirquota.exe' + Type: Sideloading + - Path: '%SYSTEM32%\eudcedit.exe' + Type: Sideloading + - Path: '%SYSTEM32%\filescrn.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ldp.exe' + Type: Sideloading + - Path: '%SYSTEM32%\msconfig.exe' + Type: Sideloading + - Path: '%SYSTEM32%\msinfo32.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mspaint.exe' + Type: Sideloading + - Path: '%SYSTEM32%\nlbmgr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\shrpubw.exe' + Type: Sideloading + - Path: '%SYSTEM32%\storrept.exe' + Type: Sideloading + - Path: '%SYSTEM32%\verifiergui.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wfs.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/mmdevapi.yml b/yml/microsoft/built-in/mmdevapi.yml index 9a1aa459..8b868f5e 100644 --- a/yml/microsoft/built-in/mmdevapi.yml +++ b/yml/microsoft/built-in/mmdevapi.yml @@ -7,6 +7,8 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\audiodg.exe' + Type: Sideloading - Path: '%SYSTEM32%\osk.exe' Type: Sideloading - Path: '%SYSTEM32%\certreq.exe' @@ -30,6 +32,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze - Twitter: '@wietze' + Twitter: "@wietze" +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/mobilenetworking.yml b/yml/microsoft/built-in/mobilenetworking.yml index 05c966d5..2c143d10 100644 --- a/yml/microsoft/built-in/mobilenetworking.yml +++ b/yml/microsoft/built-in/mobilenetworking.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\mbaeparsertask.exe' + Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/mpr.yml b/yml/microsoft/built-in/mpr.yml index dd37fb1f..214ee173 100644 --- a/yml/microsoft/built-in/mpr.yml +++ b/yml/microsoft/built-in/mpr.yml @@ -7,11 +7,57 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\bootcfg.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading +- Path: '%SYSTEM32%\driverquery.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dsmgmt.exe' + Type: Sideloading +- Path: '%SYSTEM32%\eventcreate.exe' + Type: Sideloading - Path: '%SYSTEM32%\filehistory.exe' Type: Environment Variable Variable: SYSTEMROOT +- Path: '%SYSTEM32%\getmac.exe' + Type: Sideloading +- Path: '%SYSTEM32%\gpresult.exe' + Type: Sideloading +- Path: '%SYSTEM32%\iesettingsync.exe' + Type: Sideloading +- Path: '%SYSTEM32%\net.exe' + Type: Sideloading +- Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading +- Path: '%SYSTEM32%\openfiles.exe' + Type: Sideloading +- Path: '%SYSTEM32%\pnpunattend.exe' + Type: Sideloading +- Path: '%SYSTEM32%\rdpclip.exe' + Type: Sideloading +- Path: '%SYSTEM32%\rekeywiz.exe' + Type: Sideloading +- Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading +- Path: '%SYSTEM32%\sdclt.exe' + Type: Sideloading +- Path: '%SYSTEM32%\setupugc.exe' + Type: Sideloading +- Path: '%SYSTEM32%\systeminfo.exe' + Type: Sideloading +- Path: '%SYSTEM32%\taskkill.exe' + Type: Sideloading +- Path: '%SYSTEM32%\waitfor.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/mscoree.yml b/yml/microsoft/built-in/mscoree.yml index ff6f70cd..a1ff7a4b 100644 --- a/yml/microsoft/built-in/mscoree.yml +++ b/yml/microsoft/built-in/mscoree.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\aitstatic.exe' + Type: Sideloading - Path: '%SYSTEM32%\presentationhost.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/msctfmonitor.yml b/yml/microsoft/built-in/msctfmonitor.yml index 55809a83..b5768a56 100644 --- a/yml/microsoft/built-in/msctfmonitor.yml +++ b/yml/microsoft/built-in/msctfmonitor.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\credwiz.exe' + Type: Sideloading - Path: '%SYSTEM32%\ctfmon.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/msdrm.yml b/yml/microsoft/built-in/msdrm.yml index 5c825837..40f179a1 100644 --- a/yml/microsoft/built-in/msdrm.yml +++ b/yml/microsoft/built-in/msdrm.yml @@ -15,8 +15,14 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\rmactivate_isv.exe' Type: Sideloading + - Path: '%SYSTEM32%\snippingtool.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/msiso.yml b/yml/microsoft/built-in/msiso.yml new file mode 100644 index 00000000..65a7e94a --- /dev/null +++ b/yml/microsoft/built-in/msiso.yml @@ -0,0 +1,17 @@ +--- +Name: msiso.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\browserexport.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/msvcp110_win.yml b/yml/microsoft/built-in/msvcp110_win.yml new file mode 100644 index 00000000..97ea7f69 --- /dev/null +++ b/yml/microsoft/built-in/msvcp110_win.yml @@ -0,0 +1,37 @@ +--- +Name: msvcp110_win.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\agentactivationruntimestarter.exe' + Type: Sideloading + - Path: '%SYSTEM32%\appidpolicyconverter.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dmcertinst.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dmomacpmo.exe' + Type: Sideloading + - Path: '%SYSTEM32%\locationnotificationwindows.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mdmagent.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mdmappinstaller.exe' + Type: Sideloading + - Path: '%SYSTEM32%\omadmclient.exe' + Type: Sideloading + - Path: '%SYSTEM32%\provlaunch.exe' + Type: Sideloading + - Path: '%SYSTEM32%\provtool.exe' + Type: Sideloading + - Path: '%SYSTEM32%\windowsactiondialog.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/mswsock.yml b/yml/microsoft/built-in/mswsock.yml index bf99bbca..baae4631 100644 --- a/yml/microsoft/built-in/mswsock.yml +++ b/yml/microsoft/built-in/mswsock.yml @@ -7,18 +7,26 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\alg.exe' + Type: Sideloading - Path: '%SYSTEM32%\curl.exe' Type: Environment Variable Variable: SYSTEMROOT - Path: '%SYSTEM32%\devicecensus.exe' Type: Environment Variable Variable: SYSTEMROOT +- Path: '%SYSTEM32%\finger.exe' + Type: Sideloading +- Path: '%SYSTEM32%\fsquirt.exe' + Type: Sideloading - Path: '%SYSTEM32%\ftp.exe' Type: Environment Variable Variable: SYSTEMROOT - Path: '%SYSTEM32%\hostname.exe' Type: Environment Variable Variable: SYSTEMROOT +- Path: '%SYSTEM32%\nbtstat.exe' + Type: Sideloading - Path: '%SYSTEM32%\nslookup.exe' Type: Environment Variable Variable: SYSTEMROOT @@ -60,6 +68,10 @@ VulnerableExecutables: Variable: SYSTEMROOT Resources: - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/ncrypt.yml b/yml/microsoft/built-in/ncrypt.yml index e027bab7..5ae3232a 100644 --- a/yml/microsoft/built-in/ncrypt.yml +++ b/yml/microsoft/built-in/ncrypt.yml @@ -7,11 +7,29 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\certreq.exe' + Type: Sideloading +- Path: '%SYSTEM32%\certutil.exe' + Type: Sideloading +- Path: '%SYSTEM32%\clipup.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dmcertinst.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dnscmd.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dsregcmd.exe' + Type: Sideloading - Path: '%SYSTEM32%\filehistory.exe' Type: Environment Variable Variable: SYSTEMROOT +- Path: '%SYSTEM32%\sgrmbroker.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/netapi32.yml b/yml/microsoft/built-in/netapi32.yml new file mode 100644 index 00000000..2b7d6514 --- /dev/null +++ b/yml/microsoft/built-in/netapi32.yml @@ -0,0 +1,49 @@ +--- +Name: netapi32.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\appvclient.exe' + Type: Sideloading + - Path: '%SYSTEM32%\bootcfg.exe' + Type: Sideloading + - Path: '%SYSTEM32%\certutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dfscmd.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dfsdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dfsutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dnscmd.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsadd.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsget.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsquery.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ie4uinit.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mstsc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\qappsrv.exe' + Type: Sideloading + - Path: '%SYSTEM32%\spaceagent.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wbengine.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/netjoin.yml b/yml/microsoft/built-in/netjoin.yml new file mode 100644 index 00000000..cdb77fc6 --- /dev/null +++ b/yml/microsoft/built-in/netjoin.yml @@ -0,0 +1,17 @@ +--- +Name: netjoin.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/netprovfw.yml b/yml/microsoft/built-in/netprovfw.yml new file mode 100644 index 00000000..34e5bf3f --- /dev/null +++ b/yml/microsoft/built-in/netprovfw.yml @@ -0,0 +1,17 @@ +--- +Name: netprovfw.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\djoin.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/netutils.yml b/yml/microsoft/built-in/netutils.yml index d5acb4dc..6b6e6a1d 100644 --- a/yml/microsoft/built-in/netutils.yml +++ b/yml/microsoft/built-in/netutils.yml @@ -17,6 +17,12 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\chgport.exe' Type: Sideloading + - Path: '%SYSTEM32%\credwiz.exe' + Type: Sideloading + - Path: '%SYSTEM32%\csvde.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\devicecensus.exe' Type: Sideloading - Path: '%SYSTEM32%\deviceenroller.exe' @@ -27,6 +33,12 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\driverquery.exe' Type: Sideloading + - Path: '%SYSTEM32%\dsacls.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsdbutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsmgmt.exe' + Type: Sideloading - Path: '%SYSTEM32%\dsregcmd.exe' Type: Sideloading - Path: '%SYSTEM32%\easinvoker.exe' @@ -40,12 +52,18 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\getmac.exe' Type: Sideloading + - Path: '%SYSTEM32%\gpfixup.exe' + Type: Sideloading - Path: '%SYSTEM32%\gpresult.exe' Type: Sideloading - Path: '%SYSTEM32%\ie4uinit.exe' Type: Sideloading + - Path: '%SYSTEM32%\klist.exe' + Type: Sideloading - Path: '%SYSTEM32%\ksetup.exe' Type: Sideloading + - Path: '%SYSTEM32%\ldifde.exe' + Type: Sideloading - Path: '%SYSTEM32%\mshta.exe' Type: Sideloading - Path: '%SYSTEM32%\mstsc.exe' @@ -54,11 +72,15 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\net1.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading - Path: '%SYSTEM32%\netplwiz.exe' Type: Sideloading AutoElevate: true - Path: '%SYSTEM32%\nltest.exe' Type: Sideloading + - Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\openfiles.exe' Type: Sideloading - Path: '%SYSTEM32%\query.exe' @@ -69,12 +91,26 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\raserver.exe' Type: Sideloading + - Path: '%SYSTEM32%\redircmp.exe' + Type: Sideloading + - Path: '%SYSTEM32%\redirusr.exe' + Type: Sideloading - Path: '%SYSTEM32%\rekeywiz.exe' Type: Sideloading + - Path: '%SYSTEM32%\rendom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading - Path: '%SYSTEM32%\reset.exe' Type: Sideloading + - Path: '%SYSTEM32%\runas.exe' + Type: Sideloading - Path: '%SYSTEM32%\rwinsta.exe' Type: Sideloading + - Path: '%SYSTEM32%\setspn.exe' + Type: Sideloading + - Path: '%SYSTEM32%\shrpubw.exe' + Type: Sideloading - Path: '%SYSTEM32%\spaceagent.exe' Type: Sideloading - Path: '%SYSTEM32%\systempropertiesadvanced.exe' @@ -101,6 +137,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/newdev.yml b/yml/microsoft/built-in/newdev.yml index 480754c1..20c8dc60 100644 --- a/yml/microsoft/built-in/newdev.yml +++ b/yml/microsoft/built-in/newdev.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\infdefaultinstall.exe' + Type: Sideloading - Path: '%SYSTEM32%\pnpunattend.exe' Type: Sideloading - Path: '%SYSTEM32%\systemsettingsadminflows.exe' @@ -14,6 +16,10 @@ VulnerableExecutables: AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/ntdsapi.yml b/yml/microsoft/built-in/ntdsapi.yml index 784c96a8..1184cb3b 100644 --- a/yml/microsoft/built-in/ntdsapi.yml +++ b/yml/microsoft/built-in/ntdsapi.yml @@ -11,14 +11,48 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\cipher.exe' Type: Sideloading + - Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dnscmd.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsacls.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsadd.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsdbutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsget.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsmgmt.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsquery.exe' + Type: Sideloading - Path: '%SYSTEM32%\gpresult.exe' Type: Sideloading + - Path: '%SYSTEM32%\licmgr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading - Path: '%SYSTEM32%\nltest.exe' Type: Sideloading + - Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rendom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading + - Path: '%SYSTEM32%\setspn.exe' + Type: Sideloading - Path: '%SYSTEM32%\w32tm.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/ntmarta.yml b/yml/microsoft/built-in/ntmarta.yml index daddeaea..d9323690 100644 --- a/yml/microsoft/built-in/ntmarta.yml +++ b/yml/microsoft/built-in/ntmarta.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: +- Path: '%SYSTEM32%\cacls.exe' + Type: Sideloading - Path: '%PROGRAMFILES%\Google\Chrome\Application\chrome.exe' Type: Environment Variable Variable: SYSTEMROOT @@ -18,6 +20,10 @@ VulnerableExecutables: Variable: SYSTEMROOT Resources: - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/oleacc.yml b/yml/microsoft/built-in/oleacc.yml index 469f26bb..c66d60ca 100644 --- a/yml/microsoft/built-in/oleacc.yml +++ b/yml/microsoft/built-in/oleacc.yml @@ -26,12 +26,20 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\psr.exe' Type: Sideloading + - Path: '%SYSTEM32%\sethc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\snippingtool.exe' + Type: Sideloading - Path: '%SYSTEM32%\utilman.exe' Type: Sideloading - Path: '%SYSTEM32%\wmpdmc.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/omadmapi.yml b/yml/microsoft/built-in/omadmapi.yml index 1ca58584..f425034d 100644 --- a/yml/microsoft/built-in/omadmapi.yml +++ b/yml/microsoft/built-in/omadmapi.yml @@ -17,16 +17,24 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\hvsievaluator.exe' Type: Sideloading + - Path: '%SYSTEM32%\mdmagent.exe' + Type: Sideloading - Path: '%SYSTEM32%\mdmappinstaller.exe' Type: Sideloading - Path: '%SYSTEM32%\mdmdiagnosticstool.exe' Type: Sideloading - Path: '%SYSTEM32%\omadmclient.exe' Type: Sideloading + - Path: '%SYSTEM32%\omadmrpc.exe' + Type: Sideloading - Path: '%SYSTEM32%\usocoreworker.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/opcservices.yml b/yml/microsoft/built-in/opcservices.yml new file mode 100644 index 00000000..7eb43882 --- /dev/null +++ b/yml/microsoft/built-in/opcservices.yml @@ -0,0 +1,17 @@ +--- +Name: opcservices.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/osuninst.yml b/yml/microsoft/built-in/osuninst.yml index f30fe074..98efb4fb 100644 --- a/yml/microsoft/built-in/osuninst.yml +++ b/yml/microsoft/built-in/osuninst.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\convert.exe' + Type: Sideloading - Path: '%SYSTEM32%\vds.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/pcaui.yml b/yml/microsoft/built-in/pcaui.yml index 9061943f..9730c0e0 100644 --- a/yml/microsoft/built-in/pcaui.yml +++ b/yml/microsoft/built-in/pcaui.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\pcaui.exe' + Type: Sideloading - Path: '%SYSTEM32%\pcalua.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/pdh.yml b/yml/microsoft/built-in/pdh.yml index 3c09f918..ad76a06e 100644 --- a/yml/microsoft/built-in/pdh.yml +++ b/yml/microsoft/built-in/pdh.yml @@ -14,6 +14,8 @@ VulnerableExecutables: - Path: '%SYSTEM32%\taskmgr.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\tracerpt.exe' + Type: Sideloading - Path: '%SYSTEM32%\typeperf.exe' Type: Sideloading - Path: '%SYSTEM32%\logman.exe' @@ -22,6 +24,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/pkeyhelper.yml b/yml/microsoft/built-in/pkeyhelper.yml new file mode 100644 index 00000000..99600441 --- /dev/null +++ b/yml/microsoft/built-in/pkeyhelper.yml @@ -0,0 +1,16 @@ +--- +Name: pkeyhelper.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\sppsvc.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/playsndsrv.yml b/yml/microsoft/built-in/playsndsrv.yml new file mode 100644 index 00000000..37c2ccf8 --- /dev/null +++ b/yml/microsoft/built-in/playsndsrv.yml @@ -0,0 +1,17 @@ +--- +Name: playsndsrv.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\sethc.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/powrprof.yml b/yml/microsoft/built-in/powrprof.yml new file mode 100644 index 00000000..5a8cdd36 --- /dev/null +++ b/yml/microsoft/built-in/powrprof.yml @@ -0,0 +1,23 @@ +--- +Name: powrprof.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\fsquirt.exe' + Type: Sideloading + - Path: '%SYSTEM32%\msinfo32.exe' + Type: Sideloading + - Path: '%SYSTEM32%\printfilterpipelinesvc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\sfc.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/prntvpt.yml b/yml/microsoft/built-in/prntvpt.yml new file mode 100644 index 00000000..17b699aa --- /dev/null +++ b/yml/microsoft/built-in/prntvpt.yml @@ -0,0 +1,17 @@ +--- +Name: prntvpt.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\printfilterpipelinesvc.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/profapi.yml b/yml/microsoft/built-in/profapi.yml new file mode 100644 index 00000000..27323d5d --- /dev/null +++ b/yml/microsoft/built-in/profapi.yml @@ -0,0 +1,37 @@ +--- +Name: profapi.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\certreq.exe' + Type: Sideloading + - Path: '%SYSTEM32%\edpcleanup.exe' + Type: Sideloading + - Path: '%SYSTEM32%\immersivetpmvscmgrsvr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\manage-bde.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mousocoreworker.exe' + Type: Sideloading + - Path: '%SYSTEM32%\omadmclient.exe' + Type: Sideloading + - Path: '%SYSTEM32%\provtool.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rmttpmvscmgrsvr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\tpmvscmgrsvr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\usocoreworker.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wwahost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/propsys.yml b/yml/microsoft/built-in/propsys.yml index fb697b07..a657328c 100644 --- a/yml/microsoft/built-in/propsys.yml +++ b/yml/microsoft/built-in/propsys.yml @@ -18,6 +18,8 @@ VulnerableExecutables: - Path: '%SYSTEM32%\computerdefaults.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\customshellhost.exe' + Type: Sideloading - Path: '%SYSTEM32%\dpiscaling.exe' Type: Sideloading - Path: '%SYSTEM32%\dsregcmd.exe' @@ -51,6 +53,8 @@ VulnerableExecutables: - Path: '%SYSTEM32%\printui.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading - Path: '%SYSTEM32%\quickassist.exe' Type: Sideloading - Path: '%SYSTEM32%\rdpclip.exe' @@ -139,6 +143,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/proximitycommon.yml b/yml/microsoft/built-in/proximitycommon.yml new file mode 100644 index 00000000..df0abdb8 --- /dev/null +++ b/yml/microsoft/built-in/proximitycommon.yml @@ -0,0 +1,17 @@ +--- +Name: proximitycommon.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/proximityservicepal.yml b/yml/microsoft/built-in/proximityservicepal.yml new file mode 100644 index 00000000..ed3c31e5 --- /dev/null +++ b/yml/microsoft/built-in/proximityservicepal.yml @@ -0,0 +1,16 @@ +--- +Name: proximityservicepal.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/rasdlg.yml b/yml/microsoft/built-in/rasdlg.yml new file mode 100644 index 00000000..efba09a7 --- /dev/null +++ b/yml/microsoft/built-in/rasdlg.yml @@ -0,0 +1,17 @@ +--- +Name: rasdlg.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\rasautou.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/reagent.yml b/yml/microsoft/built-in/reagent.yml index 13495bd3..ece9facf 100644 --- a/yml/microsoft/built-in/reagent.yml +++ b/yml/microsoft/built-in/reagent.yml @@ -14,6 +14,8 @@ VulnerableExecutables: - Path: '%SYSTEM32%\recdisc.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\relpost.exe' Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' @@ -26,6 +28,10 @@ VulnerableExecutables: AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/regapi.yml b/yml/microsoft/built-in/regapi.yml index fe499a05..0eda3683 100644 --- a/yml/microsoft/built-in/regapi.yml +++ b/yml/microsoft/built-in/regapi.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\change.exe' + Type: Sideloading - Path: '%SYSTEM32%\chglogon.exe' Type: Sideloading - Path: '%SYSTEM32%\query.exe' @@ -15,6 +17,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/resutils.yml b/yml/microsoft/built-in/resutils.yml index e2f17d21..bc95c81a 100644 --- a/yml/microsoft/built-in/resutils.yml +++ b/yml/microsoft/built-in/resutils.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\dfsdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\msdtc.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/rmclient.yml b/yml/microsoft/built-in/rmclient.yml index 2282bf67..c101dd3e 100644 --- a/yml/microsoft/built-in/rmclient.yml +++ b/yml/microsoft/built-in/rmclient.yml @@ -9,8 +9,14 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading + - Path: '%SYSTEM32%\runtimebroker.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/rtutils.yml b/yml/microsoft/built-in/rtutils.yml index 8f4570a7..61f11433 100644 --- a/yml/microsoft/built-in/rtutils.yml +++ b/yml/microsoft/built-in/rtutils.yml @@ -15,8 +15,14 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\rasdial.exe' Type: Sideloading + - Path: '%SYSTEM32%\rasphone.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/samcli.yml b/yml/microsoft/built-in/samcli.yml index bc73c0c0..66f9168f 100644 --- a/yml/microsoft/built-in/samcli.yml +++ b/yml/microsoft/built-in/samcli.yml @@ -15,6 +15,10 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\chgport.exe' Type: Sideloading + - Path: '%SYSTEM32%\credwiz.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\deviceenroller.exe' Type: Sideloading - Path: '%SYSTEM32%\dpapimig.exe' @@ -26,6 +30,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\net1.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading - Path: '%SYSTEM32%\netplwiz.exe' Type: Sideloading AutoElevate: true @@ -52,6 +58,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/samlib.yml b/yml/microsoft/built-in/samlib.yml index 7424f312..f2fb159b 100644 --- a/yml/microsoft/built-in/samlib.yml +++ b/yml/microsoft/built-in/samlib.yml @@ -9,14 +9,22 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\dpapimig.exe' Type: Sideloading + - Path: '%SYSTEM32%\dsmgmt.exe' + Type: Sideloading - Path: '%SYSTEM32%\easinvoker.exe' Type: Sideloading AutoElevate: true - Path: '%SYSTEM32%\netplwiz.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/scecli.yml b/yml/microsoft/built-in/scecli.yml index c023565b..fba837f4 100644 --- a/yml/microsoft/built-in/scecli.yml +++ b/yml/microsoft/built-in/scecli.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\convert.exe' + Type: Sideloading - Path: '%SYSTEM32%\secedit.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/secur32.yml b/yml/microsoft/built-in/secur32.yml index 1bfb93df..4aaea30e 100644 --- a/yml/microsoft/built-in/secur32.yml +++ b/yml/microsoft/built-in/secur32.yml @@ -7,11 +7,23 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\appvclient.exe' + Type: Sideloading - Path: '%SYSTEM32%\calc.exe' Type: Sideloading + - Path: '%SYSTEM32%\certreq.exe' + Type: Sideloading + - Path: '%SYSTEM32%\certutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\computerdefaults.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsregcmd.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsrm.exe' + Type: Sideloading - Path: '%SYSTEM32%\fodhelper.exe' Type: Sideloading AutoElevate: true @@ -19,8 +31,16 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\klist.exe' Type: Sideloading + - Path: '%SYSTEM32%\msdt.exe' + Type: Sideloading + - Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/security.yml b/yml/microsoft/built-in/security.yml new file mode 100644 index 00000000..b12cfbe0 --- /dev/null +++ b/yml/microsoft/built-in/security.yml @@ -0,0 +1,17 @@ +--- +Name: security.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\telnet.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/slc.yml b/yml/microsoft/built-in/slc.yml index a64cdf25..b5c826e5 100644 --- a/yml/microsoft/built-in/slc.yml +++ b/yml/microsoft/built-in/slc.yml @@ -13,8 +13,16 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\packageinspector.exe' Type: Sideloading + - Path: '%SYSTEM32%\phoneactivate.exe' + Type: Sideloading + - Path: '%SYSTEM32%\slui.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/sppcext.yml b/yml/microsoft/built-in/sppcext.yml new file mode 100644 index 00000000..d0bf8bfd --- /dev/null +++ b/yml/microsoft/built-in/sppcext.yml @@ -0,0 +1,17 @@ +--- +Name: sppcext.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\phoneactivate.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/srmtrace.yml b/yml/microsoft/built-in/srmtrace.yml new file mode 100644 index 00000000..cbdcd237 --- /dev/null +++ b/yml/microsoft/built-in/srmtrace.yml @@ -0,0 +1,21 @@ +--- +Name: srmtrace.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\dirquota.exe' + Type: Sideloading + - Path: '%SYSTEM32%\filescrn.exe' + Type: Sideloading + - Path: '%SYSTEM32%\storrept.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/srpapi.yml b/yml/microsoft/built-in/srpapi.yml index e2245de8..a32ae945 100644 --- a/yml/microsoft/built-in/srpapi.yml +++ b/yml/microsoft/built-in/srpapi.yml @@ -7,12 +7,18 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\appidpolicyconverter.exe' + Type: Sideloading - Path: '%SYSTEM32%\mshta.exe' Type: Sideloading - Path: '%SYSTEM32%\rdpclip.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/srvcli.yml b/yml/microsoft/built-in/srvcli.yml index 9907bfa3..a27cb91f 100644 --- a/yml/microsoft/built-in/srvcli.yml +++ b/yml/microsoft/built-in/srvcli.yml @@ -13,6 +13,10 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\chgport.exe' Type: Sideloading + - Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsdbutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\driverquery.exe' Type: Sideloading - Path: '%SYSTEM32%\eventcreate.exe' @@ -27,6 +31,10 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\net1.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\openfiles.exe' Type: Sideloading - Path: '%SYSTEM32%\query.exe' @@ -39,6 +47,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\rwinsta.exe' Type: Sideloading + - Path: '%SYSTEM32%\shrpubw.exe' + Type: Sideloading - Path: '%SYSTEM32%\spaceagent.exe' Type: Sideloading - Path: '%SYSTEM32%\systempropertiesadvanced.exe' @@ -58,6 +68,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/sspicli.yml b/yml/microsoft/built-in/sspicli.yml index 20d1d150..684c4190 100644 --- a/yml/microsoft/built-in/sspicli.yml +++ b/yml/microsoft/built-in/sspicli.yml @@ -9,6 +9,10 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\at.exe' Type: Sideloading +- Path: '%SYSTEM32%\bitsadmin.exe' + Type: Sideloading +- Path: '%SYSTEM32%\bootcfg.exe' + Type: Sideloading - Path: '%SYSTEM32%\calc.exe' Type: Sideloading - Path: '%SYSTEM32%\certreq.exe' @@ -18,6 +22,12 @@ VulnerableExecutables: - Path: '%SYSTEM32%\computerdefaults.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\credentialenrollmentmanager.exe' + Type: Sideloading +- Path: '%SYSTEM32%\customshellhost.exe' + Type: Sideloading +- Path: '%SYSTEM32%\deviceenroller.exe' + Type: Sideloading - Path: '%SYSTEM32%\dialer.exe' Type: Sideloading - Path: '%SYSTEM32%\driverquery.exe' @@ -39,8 +49,16 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\gpresult.exe' Type: Sideloading +- Path: '%SYSTEM32%\iesettingsync.exe' + Type: Sideloading +- Path: '%SYSTEM32%\klist.exe' + Type: Sideloading - Path: '%SYSTEM32%\ksetup.exe' Type: Sideloading +- Path: '%SYSTEM32%\ldp.exe' + Type: Sideloading +- Path: '%SYSTEM32%\logman.exe' + Type: Sideloading - Path: '%SYSTEM32%\mdeserver.exe' Type: Sideloading - Path: '%SYSTEM32%\msdt.exe' @@ -56,6 +74,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\muiunattend.exe' Type: Sideloading +- Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading - Path: '%SYSTEM32%\openfiles.exe' @@ -75,9 +95,13 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\rpcping.exe' Type: Sideloading +- Path: '%SYSTEM32%\runas.exe' + Type: Sideloading - Path: '%SYSTEM32%\sdclt.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\setx.exe' + Type: Sideloading - Path: '%SYSTEM32%\shutdown.exe' Type: Sideloading - Path: '%SYSTEM32%\systeminfo.exe' @@ -108,6 +132,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/sxshared.yml b/yml/microsoft/built-in/sxshared.yml index 8e4ff7fc..8515c2b5 100644 --- a/yml/microsoft/built-in/sxshared.yml +++ b/yml/microsoft/built-in/sxshared.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\defrag.exe' + Type: Sideloading - Path: '%SYSTEM32%\dfrgui.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/tbs.yml b/yml/microsoft/built-in/tbs.yml index 4d07b05e..5aeb1927 100644 --- a/yml/microsoft/built-in/tbs.yml +++ b/yml/microsoft/built-in/tbs.yml @@ -13,11 +13,19 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' Type: Sideloading + - Path: '%SYSTEM32%\sgrmbroker.exe' + Type: Sideloading - Path: '%SYSTEM32%\systemreset.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\tpmtool.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/tpmcoreprovisioning.yml b/yml/microsoft/built-in/tpmcoreprovisioning.yml new file mode 100644 index 00000000..b2d4026a --- /dev/null +++ b/yml/microsoft/built-in/tpmcoreprovisioning.yml @@ -0,0 +1,17 @@ +--- +Name: tpmcoreprovisioning.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\tpmtool.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/tquery.yml b/yml/microsoft/built-in/tquery.yml index 60d2c1c1..b180b118 100644 --- a/yml/microsoft/built-in/tquery.yml +++ b/yml/microsoft/built-in/tquery.yml @@ -9,8 +9,14 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\searchfilterhost.exe' Type: Sideloading + - Path: '%SYSTEM32%\searchprotocolhost.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/twinapi.yml b/yml/microsoft/built-in/twinapi.yml index e9128797..0153c5b1 100644 --- a/yml/microsoft/built-in/twinapi.yml +++ b/yml/microsoft/built-in/twinapi.yml @@ -7,6 +7,8 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\dataexchangehost.exe' + Type: Sideloading - Path: '%SYSTEM32%\rasphone.exe' Type: Environment Variable Variable: SYSTEMROOT @@ -27,6 +29,10 @@ VulnerableExecutables: Variable: SYSTEMROOT Resources: - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/umpdc.yml b/yml/microsoft/built-in/umpdc.yml new file mode 100644 index 00000000..fe1072e4 --- /dev/null +++ b/yml/microsoft/built-in/umpdc.yml @@ -0,0 +1,33 @@ +--- +Name: umpdc.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\deviceenroller.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dmcertinst.exe' + Type: Sideloading + - Path: '%SYSTEM32%\iesettingsync.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mousocoreworker.exe' + Type: Sideloading + - Path: '%SYSTEM32%\netevtfwdr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\omadmclient.exe' + Type: Sideloading + - Path: '%SYSTEM32%\settingsynchost.exe' + Type: Sideloading + - Path: '%SYSTEM32%\usocoreworker.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wifitask.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/unattend.yml b/yml/microsoft/built-in/unattend.yml new file mode 100644 index 00000000..3bcbf77c --- /dev/null +++ b/yml/microsoft/built-in/unattend.yml @@ -0,0 +1,16 @@ +--- +Name: unattend.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/updatepolicy.yml b/yml/microsoft/built-in/updatepolicy.yml index 9de1250f..4f05967b 100644 --- a/yml/microsoft/built-in/updatepolicy.yml +++ b/yml/microsoft/built-in/updatepolicy.yml @@ -7,14 +7,22 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\mousocoreworker.exe' + Type: Sideloading - Path: '%SYSTEM32%\musnotification.exe' Type: Sideloading - Path: '%SYSTEM32%\musnotificationux.exe' Type: Sideloading + - Path: '%SYSTEM32%\usoclient.exe' + Type: Sideloading - Path: '%SYSTEM32%\usocoreworker.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/urlmon.yml b/yml/microsoft/built-in/urlmon.yml new file mode 100644 index 00000000..fb28cbea --- /dev/null +++ b/yml/microsoft/built-in/urlmon.yml @@ -0,0 +1,23 @@ +--- +Name: urlmon.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\bytecodegenerator.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ie4uinit.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ldifde.exe' + Type: Sideloading + - Path: '%SYSTEM32%\presentationhost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/userenv.yml b/yml/microsoft/built-in/userenv.yml index 97a26ae7..c6b0d02c 100644 --- a/yml/microsoft/built-in/userenv.yml +++ b/yml/microsoft/built-in/userenv.yml @@ -7,10 +7,18 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\appidpolicyconverter.exe' + Type: Sideloading + - Path: '%SYSTEM32%\appvclient.exe' + Type: Sideloading + - Path: '%SYSTEM32%\appvshnotify.exe' + Type: Sideloading - Path: '%SYSTEM32%\bdeuisrv.exe' Type: Sideloading - Path: '%SYSTEM32%\colorcpl.exe' Type: Sideloading + - Path: '%SYSTEM32%\customshellhost.exe' + Type: Sideloading - Path: '%SYSTEM32%\dccw.exe' Type: Sideloading AutoElevate: true @@ -34,16 +42,24 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\microsoftedgesh.exe' Type: Sideloading + - Path: '%SYSTEM32%\mrt.exe' + Type: Sideloading - Path: '%SYSTEM32%\msra.exe' Type: Sideloading - Path: '%SYSTEM32%\musnotification.exe' Type: Sideloading + - Path: '%SYSTEM32%\musnotificationux.exe' + Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading - Path: '%SYSTEM32%\omadmclient.exe' Type: Sideloading + - Path: '%SYSTEM32%\proquota.exe' + Type: Sideloading - Path: '%SYSTEM32%\rekeywiz.exe' Type: Sideloading + - Path: '%SYSTEM32%\runexehelper.exe' + Type: Sideloading - Path: '%SYSTEM32%\securityhealthservice.exe' Type: Sideloading - Path: '%SYSTEM32%\settingsynchost.exe' @@ -55,12 +71,18 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\utcdecoderhost.exe' Type: Sideloading + - Path: '%SYSTEM32%\vaultcmd.exe' + Type: Sideloading - Path: '%SYSTEM32%\workfolders.exe' Type: Sideloading - Path: '%SYSTEM32%\wpcmon.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/utildll.yml b/yml/microsoft/built-in/utildll.yml index dfc63f1e..bbc2d452 100644 --- a/yml/microsoft/built-in/utildll.yml +++ b/yml/microsoft/built-in/utildll.yml @@ -17,6 +17,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\quser.exe' Type: Sideloading + - Path: '%SYSTEM32%\qprocess.exe' + Type: Sideloading - Path: '%SYSTEM32%\qwinsta.exe' Type: Sideloading - Path: '%SYSTEM32%\reset.exe' @@ -29,6 +31,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/uxtheme.yml b/yml/microsoft/built-in/uxtheme.yml index 92b68ea1..90902858 100644 --- a/yml/microsoft/built-in/uxtheme.yml +++ b/yml/microsoft/built-in/uxtheme.yml @@ -7,6 +7,10 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\atbroker.exe' + Type: Sideloading + - Path: '%SYSTEM32%\cloudnotifications.exe' + Type: Sideloading - Path: '%SYSTEM32%\cttune.exe' Type: Sideloading - Path: '%SYSTEM32%\displayswitch.exe' @@ -17,16 +21,34 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\gamepanel.exe' Type: Sideloading + - Path: '%SYSTEM32%\isoburn.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mblctr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mmc.exe' + Type: Sideloading - Path: '%SYSTEM32%\msdt.exe' Type: Sideloading AutoElevate: true - Path: '%SYSTEM32%\msra.exe' Type: Sideloading + - Path: '%SYSTEM32%\musnotifyicon.exe' + Type: Sideloading + - Path: '%SYSTEM32%\passwordonwakesettingflyout.exe' + Type: Sideloading - Path: '%SYSTEM32%\quickassist.exe' Type: Sideloading + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\sdclt.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\sethc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\sndvol.exe' + Type: Sideloading + - Path: '%SYSTEM32%\snippingtool.exe' + Type: Sideloading - Path: '%SYSTEM32%\taskmgr.exe' Type: Sideloading AutoElevate: true @@ -40,6 +62,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/vdsutil.yml b/yml/microsoft/built-in/vdsutil.yml new file mode 100644 index 00000000..920cf156 --- /dev/null +++ b/yml/microsoft/built-in/vdsutil.yml @@ -0,0 +1,17 @@ +--- +Name: vdsutil.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\vdsldr.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/version.yml b/yml/microsoft/built-in/version.yml new file mode 100644 index 00000000..4efdc3d2 --- /dev/null +++ b/yml/microsoft/built-in/version.yml @@ -0,0 +1,87 @@ +--- +Name: version.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\agentservice.exe' + Type: Sideloading + - Path: '%SYSTEM32%\certutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\choice.exe' + Type: Sideloading + - Path: '%SYSTEM32%\clip.exe' + Type: Sideloading + - Path: '%SYSTEM32%\cmstp.exe' + Type: Sideloading + - Path: '%SYSTEM32%\cofire.exe' + Type: Sideloading + - Path: '%SYSTEM32%\cscript.exe' + Type: Sideloading + - Path: '%SYSTEM32%\diskpart.exe' + Type: Sideloading + - Path: '%SYSTEM32%\diskraid.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dism.exe' + Type: Sideloading + - Path: '%SYSTEM32%\driverquery.exe' + Type: Sideloading + - Path: '%SYSTEM32%\forfiles.exe' + Type: Sideloading + - Path: '%SYSTEM32%\fxssvc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ie4ushowie.exe' + Type: Sideloading + - Path: '%SYSTEM32%\iexpress.exe' + Type: Sideloading + - Path: '%SYSTEM32%\msconfig.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mstsc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\openfiles.exe' + Type: Sideloading + - Path: '%SYSTEM32%\presentationhost.exe' + Type: Sideloading + - Path: '%SYSTEM32%\psr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\RelPost.exe' + Type: Sideloading + - Path: '%SYSTEM32%\sfc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\sigverif.exe' + Type: Sideloading + - Path: '%SYSTEM32%\systeminfo.exe' + Type: Sideloading + - Path: '%SYSTEM32%\taskkill.exe' + Type: Sideloading + - Path: '%SYSTEM32%\tasklist.exe' + Type: Sideloading + - Path: '%SYSTEM32%\timeout.exe' + Type: Sideloading + - Path: '%SYSTEM32%\unregmp2.exe' + Type: Sideloading + - Path: '%SYSTEM32%\verifiergui.exe' + Type: Sideloading + - Path: '%SYSTEM32%\vsgraphicsdesktopengine.exe' + Type: Sideloading + - Path: '%SYSTEM32%\waitfor.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wextract.exe' + Type: Sideloading + - Path: '%SYSTEM32%\where.exe' + Type: Sideloading + - Path: '%SYSTEM32%\whoami.exe' + Type: Sideloading + - Path: '%SYSTEM32%\winsat.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wscript.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/vssapi.yml b/yml/microsoft/built-in/vssapi.yml index 97c9db15..fc60ec6d 100644 --- a/yml/microsoft/built-in/vssapi.yml +++ b/yml/microsoft/built-in/vssapi.yml @@ -9,6 +9,14 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\bootim.exe' Type: Sideloading + - Path: '%SYSTEM32%\cleanmgr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsdbutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' Type: Sideloading - Path: '%SYSTEM32%\rstrui.exe' @@ -30,6 +38,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/wdi.yml b/yml/microsoft/built-in/wdi.yml index 3c5629f6..b68ba9b2 100644 --- a/yml/microsoft/built-in/wdi.yml +++ b/yml/microsoft/built-in/wdi.yml @@ -7,6 +7,8 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\cofire.exe' + Type: Sideloading - Path: '%SYSTEM32%\msra.exe' Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' @@ -20,6 +22,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/wdscore.yml b/yml/microsoft/built-in/wdscore.yml index 549e5cc6..da9ee09b 100644 --- a/yml/microsoft/built-in/wdscore.yml +++ b/yml/microsoft/built-in/wdscore.yml @@ -23,6 +23,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\pnpunattend.exe' Type: Sideloading + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' Type: Sideloading - Path: '%SYSTEM32%\setupugc.exe' @@ -36,6 +38,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/webservices.yml b/yml/microsoft/built-in/webservices.yml index 8265f742..344d31c4 100644 --- a/yml/microsoft/built-in/webservices.yml +++ b/yml/microsoft/built-in/webservices.yml @@ -11,12 +11,20 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\sppsvc.exe' Type: Sideloading + - Path: '%SYSTEM32%\vsgraphicsdesktopengine.exe' + Type: Sideloading + - Path: '%SYSTEM32%\vsgraphicsremoteengine.exe' + Type: Sideloading - Path: '%SYSTEM32%\wifitask.exe' Type: Sideloading - Path: '%SYSTEM32%\wksprt.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/wevtapi.yml b/yml/microsoft/built-in/wevtapi.yml index 6bb963b4..093827b0 100644 --- a/yml/microsoft/built-in/wevtapi.yml +++ b/yml/microsoft/built-in/wevtapi.yml @@ -7,16 +7,28 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\cidiag.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\gpupdate.exe' Type: Sideloading +- Path: '%SYSTEM32%\mbaeparsertask.exe' + Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading +- Path: '%SYSTEM32%\nlb.exe' + Type: Sideloading - Path: '%SYSTEM32%\packageinspector.exe' Type: Sideloading - Path: '%SYSTEM32%\plasrv.exe' Type: Sideloading +- Path: '%SYSTEM32%\tracerpt.exe' + Type: Sideloading - Path: '%SYSTEM32%\wecutil.exe' Type: Sideloading +- Path: '%SYSTEM32%\wlbs.exe' + Type: Sideloading - Path: '%SYSTEM32%\wsreset.exe' Type: Sideloading AutoElevate: true @@ -29,6 +41,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/wimgapi.yml b/yml/microsoft/built-in/wimgapi.yml index d848e0cf..0417e25b 100644 --- a/yml/microsoft/built-in/wimgapi.yml +++ b/yml/microsoft/built-in/wimgapi.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' Type: Sideloading - Path: '%SYSTEM32%\systemreset.exe' @@ -17,8 +19,12 @@ VulnerableExecutables: Resources: - https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/ - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" - Name: Adam Twitter: "@hexacorn" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/winbio.yml b/yml/microsoft/built-in/winbio.yml new file mode 100644 index 00000000..d546e69c --- /dev/null +++ b/yml/microsoft/built-in/winbio.yml @@ -0,0 +1,17 @@ +--- +Name: winbio.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\securityhealthservice.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/winbrand.yml b/yml/microsoft/built-in/winbrand.yml index 937368ce..f87ad32e 100644 --- a/yml/microsoft/built-in/winbrand.yml +++ b/yml/microsoft/built-in/winbrand.yml @@ -7,6 +7,10 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\bdehdcfg.exe' + Type: Sideloading + - Path: '%SYSTEM32%\licensediag.exe' + Type: Sideloading - Path: '%SYSTEM32%\slui.exe' Type: Sideloading - Path: '%SYSTEM32%\systempropertiesadvanced.exe' @@ -17,6 +21,10 @@ VulnerableExecutables: AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/windows.ui.immersive.yml b/yml/microsoft/built-in/windows.ui.immersive.yml new file mode 100644 index 00000000..d102758d --- /dev/null +++ b/yml/microsoft/built-in/windows.ui.immersive.yml @@ -0,0 +1,19 @@ +--- +Name: windows.ui.immersive.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\dmnotificationbroker.exe' + Type: Sideloading + - Path: '%SYSTEM32%\phoneactivate.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/winhttp.yml b/yml/microsoft/built-in/winhttp.yml index 3d089aab..c8567f47 100644 --- a/yml/microsoft/built-in/winhttp.yml +++ b/yml/microsoft/built-in/winhttp.yml @@ -34,10 +34,16 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\pacjsworker.exe' Type: Sideloading + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' Type: Sideloading - Path: '%SYSTEM32%\rpcping.exe' Type: Sideloading + - Path: '%SYSTEM32%\sgrmlpac.exe' + Type: Sideloading + - Path: '%SYSTEM32%\sihclient.exe' + Type: Sideloading - Path: '%SYSTEM32%\systemreset.exe' Type: Sideloading AutoElevate: true @@ -45,6 +51,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/wininet.yml b/yml/microsoft/built-in/wininet.yml index 68ff32c6..21dafbfc 100644 --- a/yml/microsoft/built-in/wininet.yml +++ b/yml/microsoft/built-in/wininet.yml @@ -7,6 +7,10 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\appvclient.exe' + Type: Sideloading + - Path: '%SYSTEM32%\browserexport.exe' + Type: Sideloading - Path: '%SYSTEM32%\calc.exe' Type: Sideloading - Path: '%SYSTEM32%\certreq.exe' @@ -21,6 +25,8 @@ VulnerableExecutables: AutoElevate: true - Path: '%SYSTEM32%\ie4uinit.exe' Type: Sideloading + - Path: '%SYSTEM32%\logagent.exe' + Type: Sideloading - Path: '%SYSTEM32%\mdmdiagnosticstool.exe' Type: Sideloading - Path: '%SYSTEM32%\mstsc.exe' @@ -29,12 +35,18 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\quickassist.exe' Type: Sideloading + - Path: '%SYSTEM32%\tokenbrokercookies.exe' + Type: Sideloading - Path: '%SYSTEM32%\wkspbroker.exe' Type: Sideloading - Path: '%SYSTEM32%\wksprt.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/winmm.yml b/yml/microsoft/built-in/winmm.yml index ea2daf14..915819a4 100644 --- a/yml/microsoft/built-in/winmm.yml +++ b/yml/microsoft/built-in/winmm.yml @@ -7,12 +7,30 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\mblctr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mspaint.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mstsc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\osk.exe' + Type: Sideloading + - Path: '%SYSTEM32%\presentationsettings.exe' + Type: Sideloading + - Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wfs.exe' + Type: Sideloading - Path: '%SYSTEM32%\winsat.exe' Type: Sideloading AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://securelist.com/wastedlocker-technical-analysis/97944/ + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/winscard.yml b/yml/microsoft/built-in/winscard.yml new file mode 100644 index 00000000..22c00361 --- /dev/null +++ b/yml/microsoft/built-in/winscard.yml @@ -0,0 +1,21 @@ +--- +Name: winscard.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\immersivetpmvscmgrsvr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rmttpmvscmgrsvr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\tpmvscmgrsvr.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/winsqlite3.yml b/yml/microsoft/built-in/winsqlite3.yml index 16e9ee4f..317d9859 100644 --- a/yml/microsoft/built-in/winsqlite3.yml +++ b/yml/microsoft/built-in/winsqlite3.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\browserexport.exe' + Type: Sideloading - Path: '%SYSTEM32%\mousocoreworker.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/winsta.yml b/yml/microsoft/built-in/winsta.yml index 52762a72..d19ad97d 100644 --- a/yml/microsoft/built-in/winsta.yml +++ b/yml/microsoft/built-in/winsta.yml @@ -25,10 +25,14 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\quser.exe' Type: Sideloading + - Path: '%SYSTEM32%\qprocess.exe' + Type: Sideloading - Path: '%SYSTEM32%\qwinsta.exe' Type: Sideloading - Path: '%SYSTEM32%\rdpclip.exe' Type: Sideloading + - Path: '%SYSTEM32%\rdpinput.exe' + Type: Sideloading - Path: '%SYSTEM32%\rdpsa.exe' Type: Sideloading - Path: '%SYSTEM32%\rdpsauachelper.exe' @@ -67,6 +71,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/winsync.yml b/yml/microsoft/built-in/winsync.yml new file mode 100644 index 00000000..6ef2cc5c --- /dev/null +++ b/yml/microsoft/built-in/winsync.yml @@ -0,0 +1,17 @@ +--- +Name: winsync.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\synchost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/wkscli.yml b/yml/microsoft/built-in/wkscli.yml index aa1f0789..d7ed2fb6 100644 --- a/yml/microsoft/built-in/wkscli.yml +++ b/yml/microsoft/built-in/wkscli.yml @@ -25,6 +25,10 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\net1.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\secinit.exe' + Type: Sideloading - Path: '%SYSTEM32%\systempropertiesadvanced.exe' Type: Sideloading AutoElevate: true @@ -35,6 +39,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/wlanapi.yml b/yml/microsoft/built-in/wlanapi.yml index d54cf6f3..e57fee75 100644 --- a/yml/microsoft/built-in/wlanapi.yml +++ b/yml/microsoft/built-in/wlanapi.yml @@ -7,12 +7,18 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\legacynetuxhost.exe' + Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading - Path: '%SYSTEM32%\wifitask.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/wofutil.yml b/yml/microsoft/built-in/wofutil.yml index b98c0b27..7a2d113d 100644 --- a/yml/microsoft/built-in/wofutil.yml +++ b/yml/microsoft/built-in/wofutil.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' Type: Sideloading - Path: '%SYSTEM32%\systemreset.exe' @@ -14,6 +16,10 @@ VulnerableExecutables: AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/wscapi.yml b/yml/microsoft/built-in/wscapi.yml new file mode 100644 index 00000000..683e0781 --- /dev/null +++ b/yml/microsoft/built-in/wscapi.yml @@ -0,0 +1,17 @@ +--- +Name: wscapi.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\wscadminui.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/wsmsvc.yml b/yml/microsoft/built-in/wsmsvc.yml new file mode 100644 index 00000000..64d3ed1f --- /dev/null +++ b/yml/microsoft/built-in/wsmsvc.yml @@ -0,0 +1,21 @@ +--- +Name: wsmsvc.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\winrs.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wsmanhttpconfig.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wsmprovhost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/wtsapi32.yml b/yml/microsoft/built-in/wtsapi32.yml index 4f4ba8c1..fd7de473 100644 --- a/yml/microsoft/built-in/wtsapi32.yml +++ b/yml/microsoft/built-in/wtsapi32.yml @@ -7,16 +7,24 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\appvclient.exe' + Type: Sideloading - Path: '%SYSTEM32%\bdeuisrv.exe' Type: Sideloading + - Path: '%SYSTEM32%\customshellhost.exe' + Type: Sideloading - Path: '%SYSTEM32%\magnify.exe' Type: Sideloading + - Path: '%SYSTEM32%\mblctr.exe' + Type: Sideloading - Path: '%SYSTEM32%\mdmappinstaller.exe' Type: Sideloading - Path: '%SYSTEM32%\raserver.exe' Type: Sideloading - Path: '%SYSTEM32%\rdpclip.exe' Type: Sideloading + - Path: '%SYSTEM32%\rdpinput.exe' + Type: Sideloading - Path: '%SYSTEM32%\rdpshell.exe' Type: Sideloading - Path: '%SYSTEM32%\rdvghelper.exe' @@ -26,6 +34,8 @@ VulnerableExecutables: AutoElevate: true - Path: '%SYSTEM32%\securityhealthservice.exe' Type: Sideloading + - Path: '%SYSTEM32%\sethc.exe' + Type: Sideloading - Path: '%SYSTEM32%\slui.exe' Type: Sideloading - Path: '%SYSTEM32%\systemsettingsadminflows.exe' @@ -36,6 +46,10 @@ VulnerableExecutables: AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/xmllite.yml b/yml/microsoft/built-in/xmllite.yml index 26d9f1b3..dfc4cb48 100644 --- a/yml/microsoft/built-in/xmllite.yml +++ b/yml/microsoft/built-in/xmllite.yml @@ -19,10 +19,14 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\dmomacpmo.exe' Type: Sideloading +- Path: '%SYSTEM32%\dxcap.exe' + Type: Sideloading - Path: '%SYSTEM32%\dxpserver.exe' Type: Sideloading - Path: '%SYSTEM32%\mdmdiagnosticstool.exe' Type: Sideloading +- Path: '%SYSTEM32%\mousocoreworker.exe' + Type: Sideloading - Path: '%SYSTEM32%\musnotificationux.exe' Type: Sideloading - Path: '%SYSTEM32%\musnotifyicon.exe' @@ -38,10 +42,16 @@ VulnerableExecutables: - Path: '%SYSTEM32%\systemreset.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\tracerpt.exe' + Type: Sideloading - Path: '%SYSTEM32%\upfc.exe' Type: Sideloading - Path: '%SYSTEM32%\usocoreworker.exe' Type: Sideloading +- Path: '%SYSTEM32%\vsgraphicsdesktopengine.exe' + Type: Sideloading +- Path: '%SYSTEM32%\vsgraphicsremoteengine.exe' + Type: Sideloading - Path: '%SYSTEM32%\wbengine.exe' Type: Sideloading - Path: '%SYSTEM32%\compmgmtlauncher.exe' @@ -59,6 +69,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/xpsservices.yml b/yml/microsoft/built-in/xpsservices.yml new file mode 100644 index 00000000..90254e66 --- /dev/null +++ b/yml/microsoft/built-in/xpsservices.yml @@ -0,0 +1,17 @@ +--- +Name: xpsservices.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\printfilterpipelinesvc.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker"