From df9ac4ba40499a82d2798a0748fe92f09820cc17 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 07:47:55 -0600 Subject: [PATCH 001/156] Added sdbinst.exe to apphelp.dll yaml --- yml/microsoft/built-in/apphelp.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/microsoft/built-in/apphelp.yml b/yml/microsoft/built-in/apphelp.yml index 433a9ff9..01fdafa8 100644 --- a/yml/microsoft/built-in/apphelp.yml +++ b/yml/microsoft/built-in/apphelp.yml @@ -9,6 +9,7 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\compmgmtlauncher.exe' Type: Sideloading + - Path: '%SYSTEM32%\sdbinst.exe' - Path: '%WINDIR%\explorer.exe' Type: Search Order Resources: From db657a87c60d8beebd8f9ff2120addec5d2b9099 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 07:49:50 -0600 Subject: [PATCH 002/156] Added sdbinst.exe to apphelp.dll yaml --- yml/microsoft/built-in/apphelp.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/yml/microsoft/built-in/apphelp.yml b/yml/microsoft/built-in/apphelp.yml index 01fdafa8..8443980c 100644 --- a/yml/microsoft/built-in/apphelp.yml +++ b/yml/microsoft/built-in/apphelp.yml @@ -10,6 +10,7 @@ VulnerableExecutables: - Path: '%SYSTEM32%\compmgmtlauncher.exe' Type: Sideloading - Path: '%SYSTEM32%\sdbinst.exe' + Type: Sideloading - Path: '%WINDIR%\explorer.exe' Type: Search Order Resources: From e1eddaa91d55b9cc59371d3ed1ab8dfccad41cb7 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 07:58:44 -0600 Subject: [PATCH 003/156] Added more exes to userenv.yml --- yml/microsoft/built-in/userenv.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/yml/microsoft/built-in/userenv.yml b/yml/microsoft/built-in/userenv.yml index 97a26ae7..bf54d20f 100644 --- a/yml/microsoft/built-in/userenv.yml +++ b/yml/microsoft/built-in/userenv.yml @@ -7,10 +7,18 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\appidpolicyconverter.exe' + Type: Sideloading + - Path: '%SYSTEM32%\appvclient.exe' + Type: Sideloading + - Path: '%SYSTEM32%\appvshnotify.exe' + Type: Sideloading - Path: '%SYSTEM32%\bdeuisrv.exe' Type: Sideloading - Path: '%SYSTEM32%\colorcpl.exe' Type: Sideloading + - Path: '%SYSTEM32%\customshellhost.exe' + Type: Sideloading - Path: '%SYSTEM32%\dccw.exe' Type: Sideloading AutoElevate: true @@ -34,16 +42,24 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\microsoftedgesh.exe' Type: Sideloading + - Path: '%SYSTEM32%\mrt.exe' + Type: Sideloading - Path: '%SYSTEM32%\msra.exe' Type: Sideloading - Path: '%SYSTEM32%\musnotification.exe' Type: Sideloading + - Path: '%SYSTEM32%\musnotificationux.exe' + Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading - Path: '%SYSTEM32%\omadmclient.exe' Type: Sideloading + - Path: '%SYSTEM32%\proquota.exe' + Type: Sideloading - Path: '%SYSTEM32%\rekeywiz.exe' Type: Sideloading + - Path: '%SYSTEM32%\runexehelper.exe' + Type: Sideloading - Path: '%SYSTEM32%\securityhealthservice.exe' Type: Sideloading - Path: '%SYSTEM32%\settingsynchost.exe' @@ -55,6 +71,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\utcdecoderhost.exe' Type: Sideloading + - Path: '%SYSTEM32%\vaultcmd.exe' + Type: Sideloading - Path: '%SYSTEM32%\workfolders.exe' Type: Sideloading - Path: '%SYSTEM32%\wpcmon.exe' From 23a900df6990a2d8c52475d45592cf16a1f718bc Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 08:13:40 -0600 Subject: [PATCH 004/156] Added version.yml for builtin --- yml/microsoft/built-in/version.yml | 87 ++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 yml/microsoft/built-in/version.yml diff --git a/yml/microsoft/built-in/version.yml b/yml/microsoft/built-in/version.yml new file mode 100644 index 00000000..4efdc3d2 --- /dev/null +++ b/yml/microsoft/built-in/version.yml @@ -0,0 +1,87 @@ +--- +Name: version.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\agentservice.exe' + Type: Sideloading + - Path: '%SYSTEM32%\certutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\choice.exe' + Type: Sideloading + - Path: '%SYSTEM32%\clip.exe' + Type: Sideloading + - Path: '%SYSTEM32%\cmstp.exe' + Type: Sideloading + - Path: '%SYSTEM32%\cofire.exe' + Type: Sideloading + - Path: '%SYSTEM32%\cscript.exe' + Type: Sideloading + - Path: '%SYSTEM32%\diskpart.exe' + Type: Sideloading + - Path: '%SYSTEM32%\diskraid.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dism.exe' + Type: Sideloading + - Path: '%SYSTEM32%\driverquery.exe' + Type: Sideloading + - Path: '%SYSTEM32%\forfiles.exe' + Type: Sideloading + - Path: '%SYSTEM32%\fxssvc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ie4ushowie.exe' + Type: Sideloading + - Path: '%SYSTEM32%\iexpress.exe' + Type: Sideloading + - Path: '%SYSTEM32%\msconfig.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mstsc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\openfiles.exe' + Type: Sideloading + - Path: '%SYSTEM32%\presentationhost.exe' + Type: Sideloading + - Path: '%SYSTEM32%\psr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\RelPost.exe' + Type: Sideloading + - Path: '%SYSTEM32%\sfc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\sigverif.exe' + Type: Sideloading + - Path: '%SYSTEM32%\systeminfo.exe' + Type: Sideloading + - Path: '%SYSTEM32%\taskkill.exe' + Type: Sideloading + - Path: '%SYSTEM32%\tasklist.exe' + Type: Sideloading + - Path: '%SYSTEM32%\timeout.exe' + Type: Sideloading + - Path: '%SYSTEM32%\unregmp2.exe' + Type: Sideloading + - Path: '%SYSTEM32%\verifiergui.exe' + Type: Sideloading + - Path: '%SYSTEM32%\vsgraphicsdesktopengine.exe' + Type: Sideloading + - Path: '%SYSTEM32%\waitfor.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wextract.exe' + Type: Sideloading + - Path: '%SYSTEM32%\where.exe' + Type: Sideloading + - Path: '%SYSTEM32%\whoami.exe' + Type: Sideloading + - Path: '%SYSTEM32%\winsat.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wscript.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From c98cc57c17fbac0b6803b4ca86c01dba595fa5f7 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 08:16:55 -0600 Subject: [PATCH 005/156] Updated resources and acknowledgements --- yml/microsoft/built-in/apphelp.yml | 4 ++++ yml/microsoft/built-in/userenv.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/yml/microsoft/built-in/apphelp.yml b/yml/microsoft/built-in/apphelp.yml index 8443980c..8e54fb9b 100644 --- a/yml/microsoft/built-in/apphelp.yml +++ b/yml/microsoft/built-in/apphelp.yml @@ -16,6 +16,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" \ No newline at end of file diff --git a/yml/microsoft/built-in/userenv.yml b/yml/microsoft/built-in/userenv.yml index bf54d20f..c6b0d02c 100644 --- a/yml/microsoft/built-in/userenv.yml +++ b/yml/microsoft/built-in/userenv.yml @@ -79,6 +79,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 508e77b32a1befb6f3c101666f9748846e384261 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 08:25:23 -0600 Subject: [PATCH 006/156] Updated mscoree.yml --- yml/microsoft/built-in/mscoree.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/mscoree.yml b/yml/microsoft/built-in/mscoree.yml index ff6f70cd..594075c1 100644 --- a/yml/microsoft/built-in/mscoree.yml +++ b/yml/microsoft/built-in/mscoree.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\aitstatic.exe' + Type: Sideloading - Path: '%SYSTEM32%\presentationhost.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" \ No newline at end of file From 52c4865b2ae2778d149059a620f8ed34ab28085f Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 08:27:48 -0600 Subject: [PATCH 007/156] Updated cryptbase.yml --- yml/microsoft/built-in/cryptbase.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/cryptbase.yml b/yml/microsoft/built-in/cryptbase.yml index 64d45b5d..534c332d 100644 --- a/yml/microsoft/built-in/cryptbase.yml +++ b/yml/microsoft/built-in/cryptbase.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\alg.exe' + Type: Sideloading - Path: '%SYSTEM32%\calc.exe' Type: Sideloading - Path: '%SYSTEM32%\compmgmtlauncher.exe' @@ -79,6 +81,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" \ No newline at end of file From 956532d72d4342fd29bc43b2b02c5d982960ccfc Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 08:31:54 -0600 Subject: [PATCH 008/156] Updated mswsock.yml --- yml/microsoft/built-in/mswsock.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/yml/microsoft/built-in/mswsock.yml b/yml/microsoft/built-in/mswsock.yml index bf99bbca..2cc984ad 100644 --- a/yml/microsoft/built-in/mswsock.yml +++ b/yml/microsoft/built-in/mswsock.yml @@ -7,18 +7,26 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\alg.exe' + Type: Sideloading - Path: '%SYSTEM32%\curl.exe' Type: Environment Variable Variable: SYSTEMROOT - Path: '%SYSTEM32%\devicecensus.exe' Type: Environment Variable Variable: SYSTEMROOT +- Path: '%SYSTEM32%\finger.exe' + Type: Sideloading +- Path: '%SYSTEM32%\fsquirt.exe' + Type: Sideloading - Path: '%SYSTEM32%\ftp.exe' Type: Environment Variable Variable: SYSTEMROOT - Path: '%SYSTEM32%\hostname.exe' Type: Environment Variable Variable: SYSTEMROOT +- Path: '%SYSTEM32%\nbtstat.exe' + Type: Sideloading - Path: '%SYSTEM32%\nslookup.exe' Type: Environment Variable Variable: SYSTEMROOT @@ -60,6 +68,10 @@ VulnerableExecutables: Variable: SYSTEMROOT Resources: - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" \ No newline at end of file From 28be6310c3204b2fec98ffb2ba545c2eeb404bd7 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 08:34:01 -0600 Subject: [PATCH 009/156] Updated srpapi.yml --- yml/microsoft/built-in/mswsock.yml | 2 +- yml/microsoft/built-in/srpapi.yml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/yml/microsoft/built-in/mswsock.yml b/yml/microsoft/built-in/mswsock.yml index 2cc984ad..baae4631 100644 --- a/yml/microsoft/built-in/mswsock.yml +++ b/yml/microsoft/built-in/mswsock.yml @@ -74,4 +74,4 @@ Acknowledgements: - Name: Wietze Twitter: '@wietze' - Name: Chris Spehn - Twitter: "@ConsciousHacker" \ No newline at end of file + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/srpapi.yml b/yml/microsoft/built-in/srpapi.yml index e2245de8..a32ae945 100644 --- a/yml/microsoft/built-in/srpapi.yml +++ b/yml/microsoft/built-in/srpapi.yml @@ -7,12 +7,18 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\appidpolicyconverter.exe' + Type: Sideloading - Path: '%SYSTEM32%\mshta.exe' Type: Sideloading - Path: '%SYSTEM32%\rdpclip.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 9b55663d701177f7ee6567051066565b2f19bcf9 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 08:36:29 -0600 Subject: [PATCH 010/156] Updated dxgi.yml --- yml/microsoft/built-in/dxgi.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/microsoft/built-in/dxgi.yml b/yml/microsoft/built-in/dxgi.yml index 4622feaf..8a7e6cc4 100644 --- a/yml/microsoft/built-in/dxgi.yml +++ b/yml/microsoft/built-in/dxgi.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\applicationframehost.exe' + Type: Sideloading - Path: '%SYSTEM32%\dataexchangehost.exe' Type: Sideloading - Path: '%SYSTEM32%\dwm.exe' @@ -25,11 +27,17 @@ VulnerableExecutables: - Path: '%SYSTEM32%\taskmgr.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\vsgraphicsremoteengine.exe' + Type: Sideloading - Path: '%SYSTEM32%\winsat.exe' Type: Sideloading AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From a773968369539710fc0c15702da24aae7cf97adc Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 08:39:33 -0600 Subject: [PATCH 011/156] Updated activeds.yml --- yml/microsoft/built-in/activeds.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/yml/microsoft/built-in/activeds.yml b/yml/microsoft/built-in/activeds.yml index f06ed3a1..7a57184a 100644 --- a/yml/microsoft/built-in/activeds.yml +++ b/yml/microsoft/built-in/activeds.yml @@ -7,10 +7,26 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\applysettingstemplatecatalog.exe' + Type: Sideloading - Path: '%SYSTEM32%\agentservice.exe' Type: Sideloading + - Path: '%SYSTEM32%\dsadd.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsget.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsmod.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsrm.exe' + Type: Sideloading + - Path: '%SYSTEM32%\gpfixup.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 3dda504cb2dd3294ef19c04499c03627d6183941 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 08:44:48 -0600 Subject: [PATCH 012/156] Updated wtsapi32.yml --- yml/microsoft/built-in/wtsapi32.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/yml/microsoft/built-in/wtsapi32.yml b/yml/microsoft/built-in/wtsapi32.yml index 4f4ba8c1..fd7de473 100644 --- a/yml/microsoft/built-in/wtsapi32.yml +++ b/yml/microsoft/built-in/wtsapi32.yml @@ -7,16 +7,24 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\appvclient.exe' + Type: Sideloading - Path: '%SYSTEM32%\bdeuisrv.exe' Type: Sideloading + - Path: '%SYSTEM32%\customshellhost.exe' + Type: Sideloading - Path: '%SYSTEM32%\magnify.exe' Type: Sideloading + - Path: '%SYSTEM32%\mblctr.exe' + Type: Sideloading - Path: '%SYSTEM32%\mdmappinstaller.exe' Type: Sideloading - Path: '%SYSTEM32%\raserver.exe' Type: Sideloading - Path: '%SYSTEM32%\rdpclip.exe' Type: Sideloading + - Path: '%SYSTEM32%\rdpinput.exe' + Type: Sideloading - Path: '%SYSTEM32%\rdpshell.exe' Type: Sideloading - Path: '%SYSTEM32%\rdvghelper.exe' @@ -26,6 +34,8 @@ VulnerableExecutables: AutoElevate: true - Path: '%SYSTEM32%\securityhealthservice.exe' Type: Sideloading + - Path: '%SYSTEM32%\sethc.exe' + Type: Sideloading - Path: '%SYSTEM32%\slui.exe' Type: Sideloading - Path: '%SYSTEM32%\systemsettingsadminflows.exe' @@ -36,6 +46,10 @@ VulnerableExecutables: AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From aa16a67c82e7a48675b18a8082548c6818f11d06 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 08:47:26 -0600 Subject: [PATCH 013/156] Updated secur32.yml --- yml/microsoft/built-in/secur32.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/yml/microsoft/built-in/secur32.yml b/yml/microsoft/built-in/secur32.yml index 1bfb93df..4aaea30e 100644 --- a/yml/microsoft/built-in/secur32.yml +++ b/yml/microsoft/built-in/secur32.yml @@ -7,11 +7,23 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\appvclient.exe' + Type: Sideloading - Path: '%SYSTEM32%\calc.exe' Type: Sideloading + - Path: '%SYSTEM32%\certreq.exe' + Type: Sideloading + - Path: '%SYSTEM32%\certutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\computerdefaults.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsregcmd.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsrm.exe' + Type: Sideloading - Path: '%SYSTEM32%\fodhelper.exe' Type: Sideloading AutoElevate: true @@ -19,8 +31,16 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\klist.exe' Type: Sideloading + - Path: '%SYSTEM32%\msdt.exe' + Type: Sideloading + - Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From e51201dc0d5280487c2f2758083f01b0b0c312f9 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 08:51:58 -0600 Subject: [PATCH 014/156] Updated wininet.yml --- yml/microsoft/built-in/wininet.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/yml/microsoft/built-in/wininet.yml b/yml/microsoft/built-in/wininet.yml index 68ff32c6..21dafbfc 100644 --- a/yml/microsoft/built-in/wininet.yml +++ b/yml/microsoft/built-in/wininet.yml @@ -7,6 +7,10 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\appvclient.exe' + Type: Sideloading + - Path: '%SYSTEM32%\browserexport.exe' + Type: Sideloading - Path: '%SYSTEM32%\calc.exe' Type: Sideloading - Path: '%SYSTEM32%\certreq.exe' @@ -21,6 +25,8 @@ VulnerableExecutables: AutoElevate: true - Path: '%SYSTEM32%\ie4uinit.exe' Type: Sideloading + - Path: '%SYSTEM32%\logagent.exe' + Type: Sideloading - Path: '%SYSTEM32%\mdmdiagnosticstool.exe' Type: Sideloading - Path: '%SYSTEM32%\mstsc.exe' @@ -29,12 +35,18 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\quickassist.exe' Type: Sideloading + - Path: '%SYSTEM32%\tokenbrokercookies.exe' + Type: Sideloading - Path: '%SYSTEM32%\wkspbroker.exe' Type: Sideloading - Path: '%SYSTEM32%\wksprt.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 61a9f6d892fe6072f055a5947bbb14401af82f5e Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 08:55:15 -0600 Subject: [PATCH 015/156] Updated mmdevapi.yml --- yml/microsoft/built-in/mmdevapi.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/yml/microsoft/built-in/mmdevapi.yml b/yml/microsoft/built-in/mmdevapi.yml index 9a1aa459..65e0b87e 100644 --- a/yml/microsoft/built-in/mmdevapi.yml +++ b/yml/microsoft/built-in/mmdevapi.yml @@ -7,6 +7,8 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\audiodg.exe' + Type: Sideloading - Path: '%SYSTEM32%\osk.exe' Type: Sideloading - Path: '%SYSTEM32%\certreq.exe' @@ -30,6 +32,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze - Twitter: '@wietze' + Twitter: "@wietze" +- Name: Chris Spehn + Twitter: "@ConsciousHacker" \ No newline at end of file From 9f44c307e79849af95baa87fb5e9c60ee8b67332 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 09:00:01 -0600 Subject: [PATCH 016/156] Updated winbrand.yml --- yml/microsoft/built-in/mmdevapi.yml | 2 +- yml/microsoft/built-in/winbrand.yml | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/yml/microsoft/built-in/mmdevapi.yml b/yml/microsoft/built-in/mmdevapi.yml index 65e0b87e..8b868f5e 100644 --- a/yml/microsoft/built-in/mmdevapi.yml +++ b/yml/microsoft/built-in/mmdevapi.yml @@ -38,4 +38,4 @@ Acknowledgements: - Name: Wietze Twitter: "@wietze" - Name: Chris Spehn - Twitter: "@ConsciousHacker" \ No newline at end of file + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/winbrand.yml b/yml/microsoft/built-in/winbrand.yml index 937368ce..f87ad32e 100644 --- a/yml/microsoft/built-in/winbrand.yml +++ b/yml/microsoft/built-in/winbrand.yml @@ -7,6 +7,10 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\bdehdcfg.exe' + Type: Sideloading + - Path: '%SYSTEM32%\licensediag.exe' + Type: Sideloading - Path: '%SYSTEM32%\slui.exe' Type: Sideloading - Path: '%SYSTEM32%\systempropertiesadvanced.exe' @@ -17,6 +21,10 @@ VulnerableExecutables: AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From a2e91e0d3598f8702efdb99696d79674dfb921cf Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 09:06:13 -0600 Subject: [PATCH 017/156] Updated uxtheme.yml --- yml/microsoft/built-in/uxtheme.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/yml/microsoft/built-in/uxtheme.yml b/yml/microsoft/built-in/uxtheme.yml index 92b68ea1..90902858 100644 --- a/yml/microsoft/built-in/uxtheme.yml +++ b/yml/microsoft/built-in/uxtheme.yml @@ -7,6 +7,10 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\atbroker.exe' + Type: Sideloading + - Path: '%SYSTEM32%\cloudnotifications.exe' + Type: Sideloading - Path: '%SYSTEM32%\cttune.exe' Type: Sideloading - Path: '%SYSTEM32%\displayswitch.exe' @@ -17,16 +21,34 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\gamepanel.exe' Type: Sideloading + - Path: '%SYSTEM32%\isoburn.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mblctr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mmc.exe' + Type: Sideloading - Path: '%SYSTEM32%\msdt.exe' Type: Sideloading AutoElevate: true - Path: '%SYSTEM32%\msra.exe' Type: Sideloading + - Path: '%SYSTEM32%\musnotifyicon.exe' + Type: Sideloading + - Path: '%SYSTEM32%\passwordonwakesettingflyout.exe' + Type: Sideloading - Path: '%SYSTEM32%\quickassist.exe' Type: Sideloading + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\sdclt.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\sethc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\sndvol.exe' + Type: Sideloading + - Path: '%SYSTEM32%\snippingtool.exe' + Type: Sideloading - Path: '%SYSTEM32%\taskmgr.exe' Type: Sideloading AutoElevate: true @@ -40,6 +62,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 3d740e4a743b6e1a296da4a22526e24dc959acaa Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 09:14:30 -0600 Subject: [PATCH 018/156] Updated duser.yml --- yml/microsoft/built-in/duser.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/yml/microsoft/built-in/duser.yml b/yml/microsoft/built-in/duser.yml index 950ebf85..0ddf1398 100644 --- a/yml/microsoft/built-in/duser.yml +++ b/yml/microsoft/built-in/duser.yml @@ -7,11 +7,36 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\bdeunlock.exe' + Type: Sideloading + - Path: '%SYSTEM32%\displayswitch.exe' + Type: Sideloading + - Path: '%SYSTEM32%\easeofaccessdialog.exe' + Type: Sideloading + - Path: '%SYSTEM32%\lockscreencontentserver.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mmc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\msdt.exe' + Type: Sideloading + AutoElevate: true + - Path: '%SYSTEM32%\osk.exe' + Type: Sideloading - Path: '%SYSTEM32%\rekeywiz.exe' Type: Sideloading + - Path: '%SYSTEM32%\sessionmsg.exe' + Type: Sideloading + - Path: '%SYSTEM32%\taskmgr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\utilman.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://twitter.com/0xcarnage/status/1203882560176218113 + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 264118962d5f8a9965e2e619e7723fb78836f5b2 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 09:23:34 -0600 Subject: [PATCH 019/156] Updated dui70.yml --- yml/microsoft/built-in/dui70.yml | 40 +++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/yml/microsoft/built-in/dui70.yml b/yml/microsoft/built-in/dui70.yml index 187897c3..dd298d2e 100644 --- a/yml/microsoft/built-in/dui70.yml +++ b/yml/microsoft/built-in/dui70.yml @@ -7,17 +7,55 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\bdeunlock.exe' + Type: Sideloading +- Path: '%SYSTEM32%\camerasettings.exe' + Type: Sideloading - Path: '%SYSTEM32%\certreq.exe' Type: Sideloading +- Path: '%SYSTEM32%\dmnotificationbroker.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dpapimig.exe' + Type: Sideloading +- Path: '%SYSTEM32%\licensingui.exe' + Type: Sideloading - Path: '%SYSTEM32%\optionalfeatures.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\osk.exe' + Type: Sideloading +- Path: '%SYSTEM32%\passwordonwakesettingflyout.exe' + Type: Sideloading +- Path: '%SYSTEM32%\phoneactivate.exe' + Type: Sideloading +- Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading - Path: '%SYSTEM32%\rasphone.exe' Type: Environment Variable Variable: SYSTEMROOT +- Path: '%SYSTEM32%\sessionmsg.exe' + Type: Sideloading +- Path: '%SYSTEM32%\sethc.exe' + Type: Sideloading +- Path: '%SYSTEM32%\sysreseterr.exe' + Type: Sideloading +- Path: '%SYSTEM32%\systemsettingsadminflows.exe' + Type: Sideloading +- Path: '%SYSTEM32%\systemsettingsremovedevice.exe' + Type: Sideloading +- Path: '%SYSTEM32%\utilman.exe' + Type: Sideloading +- Path: '%SYSTEM32%\windowsactiondialog.exe' + Type: Sideloading +- Path: '%SYSTEM32%\wlrmdr.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze - Twitter: '@wietze' + Twitter: "@wietze" +- Name: Chris Spehn + Twitter: "@ConsciousHacker" From bb0d178c19081d2edaeb634e4e0d97cf04c51cd0 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 09:27:03 -0600 Subject: [PATCH 020/156] Updated dsreg.yml --- yml/microsoft/built-in/dsreg.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/dsreg.yml b/yml/microsoft/built-in/dsreg.yml index ccaf3a84..086fdc15 100644 --- a/yml/microsoft/built-in/dsreg.yml +++ b/yml/microsoft/built-in/dsreg.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\bitlockerdeviceencryption.exe' + Type: Sideloading - Path: '%SYSTEM32%\dsregcmd.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 4315837ad580dfb6b4818c5f58f4e42000d8606f Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 09:33:57 -0600 Subject: [PATCH 021/156] Updated sspicli.yml --- yml/microsoft/built-in/sspicli.yml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/yml/microsoft/built-in/sspicli.yml b/yml/microsoft/built-in/sspicli.yml index 20d1d150..684c4190 100644 --- a/yml/microsoft/built-in/sspicli.yml +++ b/yml/microsoft/built-in/sspicli.yml @@ -9,6 +9,10 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\at.exe' Type: Sideloading +- Path: '%SYSTEM32%\bitsadmin.exe' + Type: Sideloading +- Path: '%SYSTEM32%\bootcfg.exe' + Type: Sideloading - Path: '%SYSTEM32%\calc.exe' Type: Sideloading - Path: '%SYSTEM32%\certreq.exe' @@ -18,6 +22,12 @@ VulnerableExecutables: - Path: '%SYSTEM32%\computerdefaults.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\credentialenrollmentmanager.exe' + Type: Sideloading +- Path: '%SYSTEM32%\customshellhost.exe' + Type: Sideloading +- Path: '%SYSTEM32%\deviceenroller.exe' + Type: Sideloading - Path: '%SYSTEM32%\dialer.exe' Type: Sideloading - Path: '%SYSTEM32%\driverquery.exe' @@ -39,8 +49,16 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\gpresult.exe' Type: Sideloading +- Path: '%SYSTEM32%\iesettingsync.exe' + Type: Sideloading +- Path: '%SYSTEM32%\klist.exe' + Type: Sideloading - Path: '%SYSTEM32%\ksetup.exe' Type: Sideloading +- Path: '%SYSTEM32%\ldp.exe' + Type: Sideloading +- Path: '%SYSTEM32%\logman.exe' + Type: Sideloading - Path: '%SYSTEM32%\mdeserver.exe' Type: Sideloading - Path: '%SYSTEM32%\msdt.exe' @@ -56,6 +74,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\muiunattend.exe' Type: Sideloading +- Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading - Path: '%SYSTEM32%\openfiles.exe' @@ -75,9 +95,13 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\rpcping.exe' Type: Sideloading +- Path: '%SYSTEM32%\runas.exe' + Type: Sideloading - Path: '%SYSTEM32%\sdclt.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\setx.exe' + Type: Sideloading - Path: '%SYSTEM32%\shutdown.exe' Type: Sideloading - Path: '%SYSTEM32%\systeminfo.exe' @@ -108,6 +132,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" From fb2aac5df66003ff027ce38466e184fc08b6bd66 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 09:49:52 -0600 Subject: [PATCH 022/156] Updated mpr.yml --- yml/microsoft/built-in/mpr.yml | 46 ++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/yml/microsoft/built-in/mpr.yml b/yml/microsoft/built-in/mpr.yml index dd37fb1f..214ee173 100644 --- a/yml/microsoft/built-in/mpr.yml +++ b/yml/microsoft/built-in/mpr.yml @@ -7,11 +7,57 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\bootcfg.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading +- Path: '%SYSTEM32%\driverquery.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dsmgmt.exe' + Type: Sideloading +- Path: '%SYSTEM32%\eventcreate.exe' + Type: Sideloading - Path: '%SYSTEM32%\filehistory.exe' Type: Environment Variable Variable: SYSTEMROOT +- Path: '%SYSTEM32%\getmac.exe' + Type: Sideloading +- Path: '%SYSTEM32%\gpresult.exe' + Type: Sideloading +- Path: '%SYSTEM32%\iesettingsync.exe' + Type: Sideloading +- Path: '%SYSTEM32%\net.exe' + Type: Sideloading +- Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading +- Path: '%SYSTEM32%\openfiles.exe' + Type: Sideloading +- Path: '%SYSTEM32%\pnpunattend.exe' + Type: Sideloading +- Path: '%SYSTEM32%\rdpclip.exe' + Type: Sideloading +- Path: '%SYSTEM32%\rekeywiz.exe' + Type: Sideloading +- Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading +- Path: '%SYSTEM32%\sdclt.exe' + Type: Sideloading +- Path: '%SYSTEM32%\setupugc.exe' + Type: Sideloading +- Path: '%SYSTEM32%\systeminfo.exe' + Type: Sideloading +- Path: '%SYSTEM32%\taskkill.exe' + Type: Sideloading +- Path: '%SYSTEM32%\waitfor.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" From fe30bf378a0e9eef869569e2786f4896539d9c88 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 09:54:40 -0600 Subject: [PATCH 023/156] Updated winsqlite3.yml --- yml/microsoft/built-in/winsqlite3.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/winsqlite3.yml b/yml/microsoft/built-in/winsqlite3.yml index 16e9ee4f..317d9859 100644 --- a/yml/microsoft/built-in/winsqlite3.yml +++ b/yml/microsoft/built-in/winsqlite3.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\browserexport.exe' + Type: Sideloading - Path: '%SYSTEM32%\mousocoreworker.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 6e3310df83e4d230d2c77677a63e6d5238c64404 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 09:58:39 -0600 Subject: [PATCH 024/156] Updated iertutil.yml --- yml/microsoft/built-in/iertutil.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/yml/microsoft/built-in/iertutil.yml b/yml/microsoft/built-in/iertutil.yml index 82ce70fc..7e878bb2 100644 --- a/yml/microsoft/built-in/iertutil.yml +++ b/yml/microsoft/built-in/iertutil.yml @@ -7,16 +7,30 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\browserexport.exe' + Type: Sideloading - Path: '%SYSTEM32%\cipher.exe' Type: Sideloading + - Path: '%SYSTEM32%\iesettingsync.exe' + Type: Sideloading + - Path: '%SYSTEM32%\launchwinapp.exe' + Type: Sideloading - Path: '%SYSTEM32%\microsoftedgebchost.exe' Type: Sideloading - Path: '%SYSTEM32%\microsoftedgecp.exe' Type: Sideloading - Path: '%SYSTEM32%\microsoftedgedevtools.exe' Type: Sideloading + - Path: '%SYSTEM32%\microsoftedgesh.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wwahost.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 2b13dfd9b1cfa9d60950cd48edac7aa5440c4918 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 10:01:51 -0600 Subject: [PATCH 025/156] Updated ntmarta.yml --- yml/microsoft/built-in/ntmarta.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/ntmarta.yml b/yml/microsoft/built-in/ntmarta.yml index daddeaea..d9323690 100644 --- a/yml/microsoft/built-in/ntmarta.yml +++ b/yml/microsoft/built-in/ntmarta.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: +- Path: '%SYSTEM32%\cacls.exe' + Type: Sideloading - Path: '%PROGRAMFILES%\Google\Chrome\Application\chrome.exe' Type: Environment Variable Variable: SYSTEMROOT @@ -18,6 +20,10 @@ VulnerableExecutables: Variable: SYSTEMROOT Resources: - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 45efae10e782df6753917c1485601efc3ae9d602 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 10:04:20 -0600 Subject: [PATCH 026/156] Updated certenroll.yml --- yml/microsoft/built-in/certenroll.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/certenroll.yml b/yml/microsoft/built-in/certenroll.yml index cd6656e7..46310fde 100644 --- a/yml/microsoft/built-in/certenroll.yml +++ b/yml/microsoft/built-in/certenroll.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\certenrollctrl.exe' + Type: Sideloading - Path: '%SYSTEM32%\dmcertinst.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From b4fae7c5f3a477b0f301c0dd6184f268e1b432f7 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 10:12:48 -0600 Subject: [PATCH 027/156] Updated ncrypt.yml --- yml/microsoft/built-in/ncrypt.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/yml/microsoft/built-in/ncrypt.yml b/yml/microsoft/built-in/ncrypt.yml index e027bab7..5ae3232a 100644 --- a/yml/microsoft/built-in/ncrypt.yml +++ b/yml/microsoft/built-in/ncrypt.yml @@ -7,11 +7,29 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\certreq.exe' + Type: Sideloading +- Path: '%SYSTEM32%\certutil.exe' + Type: Sideloading +- Path: '%SYSTEM32%\clipup.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dmcertinst.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dnscmd.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dsregcmd.exe' + Type: Sideloading - Path: '%SYSTEM32%\filehistory.exe' Type: Environment Variable Variable: SYSTEMROOT +- Path: '%SYSTEM32%\sgrmbroker.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" From 3620c4cc296a48463d29b30553938511cfbe4bac Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 10:27:57 -0600 Subject: [PATCH 028/156] Updated regapi.yml --- yml/microsoft/built-in/regapi.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/regapi.yml b/yml/microsoft/built-in/regapi.yml index fe499a05..0eda3683 100644 --- a/yml/microsoft/built-in/regapi.yml +++ b/yml/microsoft/built-in/regapi.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\change.exe' + Type: Sideloading - Path: '%SYSTEM32%\chglogon.exe' Type: Sideloading - Path: '%SYSTEM32%\query.exe' @@ -15,6 +17,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 1952ce4e30c159817b8e88f538485233919b2f66 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 10:46:01 -0600 Subject: [PATCH 029/156] Updated wevtapi.yml --- yml/microsoft/built-in/wevtapi.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/yml/microsoft/built-in/wevtapi.yml b/yml/microsoft/built-in/wevtapi.yml index 6bb963b4..093827b0 100644 --- a/yml/microsoft/built-in/wevtapi.yml +++ b/yml/microsoft/built-in/wevtapi.yml @@ -7,16 +7,28 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\cidiag.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\gpupdate.exe' Type: Sideloading +- Path: '%SYSTEM32%\mbaeparsertask.exe' + Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading +- Path: '%SYSTEM32%\nlb.exe' + Type: Sideloading - Path: '%SYSTEM32%\packageinspector.exe' Type: Sideloading - Path: '%SYSTEM32%\plasrv.exe' Type: Sideloading +- Path: '%SYSTEM32%\tracerpt.exe' + Type: Sideloading - Path: '%SYSTEM32%\wecutil.exe' Type: Sideloading +- Path: '%SYSTEM32%\wlbs.exe' + Type: Sideloading - Path: '%SYSTEM32%\wsreset.exe' Type: Sideloading AutoElevate: true @@ -29,6 +41,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" From 5819aa85b75a85ebdc3bc3bb0cdf3dcc3cd19c67 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 10:51:24 -0600 Subject: [PATCH 030/156] Updated bcd.yml --- yml/microsoft/built-in/bcd.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/microsoft/built-in/bcd.yml b/yml/microsoft/built-in/bcd.yml index 4b52e9bc..30c577a1 100644 --- a/yml/microsoft/built-in/bcd.yml +++ b/yml/microsoft/built-in/bcd.yml @@ -9,6 +9,8 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\bootim.exe' Type: Sideloading + - Path: '%SYSTEM32%\cidiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\genvalobj.exe' Type: Sideloading - Path: '%SYSTEM32%\mdsched.exe' @@ -20,6 +22,8 @@ VulnerableExecutables: - Path: '%SYSTEM32%\recdisc.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' Type: Sideloading - Path: '%SYSTEM32%\rstrui.exe' @@ -61,6 +65,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From a37682f7fbef69909b4415e0036e511c0c284ffd Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 10:53:31 -0600 Subject: [PATCH 031/156] Updated vssapi.yml --- yml/microsoft/built-in/vssapi.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/yml/microsoft/built-in/vssapi.yml b/yml/microsoft/built-in/vssapi.yml index 97c9db15..fc60ec6d 100644 --- a/yml/microsoft/built-in/vssapi.yml +++ b/yml/microsoft/built-in/vssapi.yml @@ -9,6 +9,14 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\bootim.exe' Type: Sideloading + - Path: '%SYSTEM32%\cleanmgr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsdbutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' Type: Sideloading - Path: '%SYSTEM32%\rstrui.exe' @@ -30,6 +38,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From e8b1d57821e7c8422e87112ab6fdf79227eddb74 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 10:55:53 -0600 Subject: [PATCH 032/156] Updated wdi.yml --- yml/microsoft/built-in/wdi.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/wdi.yml b/yml/microsoft/built-in/wdi.yml index 3c5629f6..b68ba9b2 100644 --- a/yml/microsoft/built-in/wdi.yml +++ b/yml/microsoft/built-in/wdi.yml @@ -7,6 +7,8 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\cofire.exe' + Type: Sideloading - Path: '%SYSTEM32%\msra.exe' Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' @@ -20,6 +22,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" From d7a5900a37fae5d1e9fd1011a16607c16733c564 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 10:58:53 -0600 Subject: [PATCH 033/156] Updated scecli.yml --- yml/microsoft/built-in/scecli.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/scecli.yml b/yml/microsoft/built-in/scecli.yml index c023565b..fba837f4 100644 --- a/yml/microsoft/built-in/scecli.yml +++ b/yml/microsoft/built-in/scecli.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\convert.exe' + Type: Sideloading - Path: '%SYSTEM32%\secedit.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From c1fb69c0ab30ece01db46af3ee859c0532fa9357 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:03:29 -0600 Subject: [PATCH 034/156] Added msvcp110_win.yml --- yml/microsoft/built-in/msvcp110_win.yml | 37 +++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 yml/microsoft/built-in/msvcp110_win.yml diff --git a/yml/microsoft/built-in/msvcp110_win.yml b/yml/microsoft/built-in/msvcp110_win.yml new file mode 100644 index 00000000..97ea7f69 --- /dev/null +++ b/yml/microsoft/built-in/msvcp110_win.yml @@ -0,0 +1,37 @@ +--- +Name: msvcp110_win.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\agentactivationruntimestarter.exe' + Type: Sideloading + - Path: '%SYSTEM32%\appidpolicyconverter.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dmcertinst.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dmomacpmo.exe' + Type: Sideloading + - Path: '%SYSTEM32%\locationnotificationwindows.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mdmagent.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mdmappinstaller.exe' + Type: Sideloading + - Path: '%SYSTEM32%\omadmclient.exe' + Type: Sideloading + - Path: '%SYSTEM32%\provlaunch.exe' + Type: Sideloading + - Path: '%SYSTEM32%\provtool.exe' + Type: Sideloading + - Path: '%SYSTEM32%\windowsactiondialog.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From ee332f145c678e9a8b9cee93c1a0c0a2b5566d6d Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:07:33 -0600 Subject: [PATCH 035/156] Added appvpolicy.yml --- yml/microsoft/built-in/appvpolicy.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/appvpolicy.yml diff --git a/yml/microsoft/built-in/appvpolicy.yml b/yml/microsoft/built-in/appvpolicy.yml new file mode 100644 index 00000000..1c01c796 --- /dev/null +++ b/yml/microsoft/built-in/appvpolicy.yml @@ -0,0 +1,17 @@ +--- +Name: appvpolicy.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\appvclient.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From d9cff40f928012b74adf873099d7ea88e35482d0 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:09:26 -0600 Subject: [PATCH 036/156] Updated appvpolicy.yml --- yml/microsoft/built-in/appvpolicy.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/yml/microsoft/built-in/appvpolicy.yml b/yml/microsoft/built-in/appvpolicy.yml index 1c01c796..8169fe77 100644 --- a/yml/microsoft/built-in/appvpolicy.yml +++ b/yml/microsoft/built-in/appvpolicy.yml @@ -5,7 +5,6 @@ Created: 2021-08-16 Vendor: Microsoft ExpectedLocations: - "%SYSTEM32%" - - "%SYSWOW64%" VulnerableExecutables: - Path: '%SYSTEM32%\appvclient.exe' Type: Sideloading From 2fae776dc9b92b97a7471ab6a0cefee54eae1692 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:13:37 -0600 Subject: [PATCH 037/156] Added netapi32.yml --- yml/microsoft/built-in/netapi32.yml | 49 +++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 yml/microsoft/built-in/netapi32.yml diff --git a/yml/microsoft/built-in/netapi32.yml b/yml/microsoft/built-in/netapi32.yml new file mode 100644 index 00000000..2b7d6514 --- /dev/null +++ b/yml/microsoft/built-in/netapi32.yml @@ -0,0 +1,49 @@ +--- +Name: netapi32.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\appvclient.exe' + Type: Sideloading + - Path: '%SYSTEM32%\bootcfg.exe' + Type: Sideloading + - Path: '%SYSTEM32%\certutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dfscmd.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dfsdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dfsutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dnscmd.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsadd.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsget.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsquery.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ie4uinit.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mstsc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\qappsrv.exe' + Type: Sideloading + - Path: '%SYSTEM32%\spaceagent.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wbengine.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From b364f540ae221c1fc5212288e45631d2fc0c4249 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:17:54 -0600 Subject: [PATCH 038/156] Added cryptsp.yml --- yml/microsoft/built-in/cryptsp.yml | 33 ++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 yml/microsoft/built-in/cryptsp.yml diff --git a/yml/microsoft/built-in/cryptsp.yml b/yml/microsoft/built-in/cryptsp.yml new file mode 100644 index 00000000..3caa4e8b --- /dev/null +++ b/yml/microsoft/built-in/cryptsp.yml @@ -0,0 +1,33 @@ +--- +Name: cryptsp.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\bcdedit.exe' + Type: Sideloading + - Path: '%SYSTEM32%\disksnapshot.exe' + Type: Sideloading + - Path: '%SYSTEM32%\genvalobj.exe' + Type: Sideloading + - Path: '%SYSTEM32%\omadmclient.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rmactivate.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rmactivate_isv.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rmactivate_ssp.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rmactivate_ssp_isv.exe' + Type: Sideloading + - Path: '%SYSTEM32%\werfault.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From d290a0dd4a7d18a5da450bbd1124a125c1c3465e Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:21:07 -0600 Subject: [PATCH 039/156] Added iumsdk.yml --- yml/microsoft/built-in/iumsdk.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 yml/microsoft/built-in/iumsdk.yml diff --git a/yml/microsoft/built-in/iumsdk.yml b/yml/microsoft/built-in/iumsdk.yml new file mode 100644 index 00000000..098ac9f5 --- /dev/null +++ b/yml/microsoft/built-in/iumsdk.yml @@ -0,0 +1,20 @@ +--- +Name: iumsdk.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\bioiso.exe' + Type: Sideloading + - Path: '%SYSTEM32%\fsiso.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ngciso.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 3597821abe17515534503fa80198ebb07ea6b841 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:22:47 -0600 Subject: [PATCH 040/156] Added fveskybackup.yml --- yml/microsoft/built-in/fveskybackup.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 yml/microsoft/built-in/fveskybackup.yml diff --git a/yml/microsoft/built-in/fveskybackup.yml b/yml/microsoft/built-in/fveskybackup.yml new file mode 100644 index 00000000..8e743a1e --- /dev/null +++ b/yml/microsoft/built-in/fveskybackup.yml @@ -0,0 +1,16 @@ +--- +Name: fveskybackup.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\bitlockerdeviceencryption.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 0e287005f20e18385d1ecddc7d6e0bcaf4c86c23 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:25:22 -0600 Subject: [PATCH 041/156] Added fvewiz.yml --- yml/microsoft/built-in/fvewiz.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 yml/microsoft/built-in/fvewiz.yml diff --git a/yml/microsoft/built-in/fvewiz.yml b/yml/microsoft/built-in/fvewiz.yml new file mode 100644 index 00000000..7e709e62 --- /dev/null +++ b/yml/microsoft/built-in/fvewiz.yml @@ -0,0 +1,19 @@ +--- +Name: fvewiz.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\bitlockerwizard.exe' + Type: Sideloading + - Path: '%SYSTEM32%\bitlockerwizardelev.exe' + Type: Sideloading + AutoElevate: true +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 1cb840c149c202678e78afc8c1fca5bd738bbd3f Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:27:05 -0600 Subject: [PATCH 042/156] Added bootux.yml --- yml/microsoft/built-in/bootux.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 yml/microsoft/built-in/bootux.yml diff --git a/yml/microsoft/built-in/bootux.yml b/yml/microsoft/built-in/bootux.yml new file mode 100644 index 00000000..92a8d332 --- /dev/null +++ b/yml/microsoft/built-in/bootux.yml @@ -0,0 +1,16 @@ +--- +Name: bootux.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\bootim.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 94544f9e50ede21cad6ea9c4b7046d70c3bb0292 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:28:46 -0600 Subject: [PATCH 043/156] Added msiso.yml --- yml/microsoft/built-in/msiso.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/msiso.yml diff --git a/yml/microsoft/built-in/msiso.yml b/yml/microsoft/built-in/msiso.yml new file mode 100644 index 00000000..65a7e94a --- /dev/null +++ b/yml/microsoft/built-in/msiso.yml @@ -0,0 +1,17 @@ +--- +Name: msiso.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\browserexport.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From bf7cd5b8c7c690e9f613fb8ee50b48bbc26fe739 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:31:02 -0600 Subject: [PATCH 044/156] Added urlmon.yml --- yml/microsoft/built-in/urlmon.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 yml/microsoft/built-in/urlmon.yml diff --git a/yml/microsoft/built-in/urlmon.yml b/yml/microsoft/built-in/urlmon.yml new file mode 100644 index 00000000..fb28cbea --- /dev/null +++ b/yml/microsoft/built-in/urlmon.yml @@ -0,0 +1,23 @@ +--- +Name: urlmon.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\bytecodegenerator.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ie4uinit.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ldifde.exe' + Type: Sideloading + - Path: '%SYSTEM32%\presentationhost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From e977e223d5d25c48f0823b70ac7f94e91f8820cc Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:32:30 -0600 Subject: [PATCH 045/156] Added certcli.yml --- yml/microsoft/built-in/certcli.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 yml/microsoft/built-in/certcli.yml diff --git a/yml/microsoft/built-in/certcli.yml b/yml/microsoft/built-in/certcli.yml new file mode 100644 index 00000000..815142e9 --- /dev/null +++ b/yml/microsoft/built-in/certcli.yml @@ -0,0 +1,21 @@ +--- +Name: certcli.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\certreq.exe' + Type: Sideloading + - Path: '%SYSTEM32%\certutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 063c0e8fcdff82cce79129952e13106000b39374 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:35:11 -0600 Subject: [PATCH 046/156] Added profapi.yml --- yml/microsoft/built-in/profapi.yml | 37 ++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 yml/microsoft/built-in/profapi.yml diff --git a/yml/microsoft/built-in/profapi.yml b/yml/microsoft/built-in/profapi.yml new file mode 100644 index 00000000..27323d5d --- /dev/null +++ b/yml/microsoft/built-in/profapi.yml @@ -0,0 +1,37 @@ +--- +Name: profapi.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\certreq.exe' + Type: Sideloading + - Path: '%SYSTEM32%\edpcleanup.exe' + Type: Sideloading + - Path: '%SYSTEM32%\immersivetpmvscmgrsvr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\manage-bde.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mousocoreworker.exe' + Type: Sideloading + - Path: '%SYSTEM32%\omadmclient.exe' + Type: Sideloading + - Path: '%SYSTEM32%\provtool.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rmttpmvscmgrsvr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\tpmvscmgrsvr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\usocoreworker.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wwahost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 286887a88c4672af7bcc5b8b5dc188c3220a007e Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:36:35 -0600 Subject: [PATCH 047/156] Added cmutil.yml --- yml/microsoft/built-in/cmutil.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/cmutil.yml diff --git a/yml/microsoft/built-in/cmutil.yml b/yml/microsoft/built-in/cmutil.yml new file mode 100644 index 00000000..66753809 --- /dev/null +++ b/yml/microsoft/built-in/cmutil.yml @@ -0,0 +1,17 @@ +--- +Name: cmutil.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\cmstp.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 0389faa4adc015a890b0339e6ca51892fea8b27e Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:38:17 -0600 Subject: [PATCH 048/156] Added ifsutil.yml --- yml/microsoft/built-in/ifsutil.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 yml/microsoft/built-in/ifsutil.yml diff --git a/yml/microsoft/built-in/ifsutil.yml b/yml/microsoft/built-in/ifsutil.yml new file mode 100644 index 00000000..e211d4d0 --- /dev/null +++ b/yml/microsoft/built-in/ifsutil.yml @@ -0,0 +1,25 @@ +--- +Name: ifsutil.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\convert.exe' + Type: Sideloading + - Path: '%SYSTEM32%\fsavailux.exe' + Type: Sideloading + - Path: '%SYSTEM32%\label.exe' + Type: Sideloading + - Path: '%SYSTEM32%\recover.exe' + Type: Sideloading + - Path: '%SYSTEM32%\xcopy.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 9d9d7ddd256946e14ad502b4e35312f8287a6c3c Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:40:24 -0600 Subject: [PATCH 049/156] Updated osuninst.yml --- yml/microsoft/built-in/osuninst.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/osuninst.yml b/yml/microsoft/built-in/osuninst.yml index f30fe074..98efb4fb 100644 --- a/yml/microsoft/built-in/osuninst.yml +++ b/yml/microsoft/built-in/osuninst.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\convert.exe' + Type: Sideloading - Path: '%SYSTEM32%\vds.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 49a1bff9666dff151bdd2cd2a8e42edd588711da Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:42:11 -0600 Subject: [PATCH 050/156] Updated samcli.yml --- yml/microsoft/built-in/samcli.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/yml/microsoft/built-in/samcli.yml b/yml/microsoft/built-in/samcli.yml index bc73c0c0..66f9168f 100644 --- a/yml/microsoft/built-in/samcli.yml +++ b/yml/microsoft/built-in/samcli.yml @@ -15,6 +15,10 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\chgport.exe' Type: Sideloading + - Path: '%SYSTEM32%\credwiz.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\deviceenroller.exe' Type: Sideloading - Path: '%SYSTEM32%\dpapimig.exe' @@ -26,6 +30,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\net1.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading - Path: '%SYSTEM32%\netplwiz.exe' Type: Sideloading AutoElevate: true @@ -52,6 +58,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From d59e7b9ef0762119023658fd990857c45123f38d Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:47:43 -0600 Subject: [PATCH 051/156] Updated netutils.yml --- yml/microsoft/built-in/netutils.yml | 40 +++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/yml/microsoft/built-in/netutils.yml b/yml/microsoft/built-in/netutils.yml index d5acb4dc..6b6e6a1d 100644 --- a/yml/microsoft/built-in/netutils.yml +++ b/yml/microsoft/built-in/netutils.yml @@ -17,6 +17,12 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\chgport.exe' Type: Sideloading + - Path: '%SYSTEM32%\credwiz.exe' + Type: Sideloading + - Path: '%SYSTEM32%\csvde.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\devicecensus.exe' Type: Sideloading - Path: '%SYSTEM32%\deviceenroller.exe' @@ -27,6 +33,12 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\driverquery.exe' Type: Sideloading + - Path: '%SYSTEM32%\dsacls.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsdbutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsmgmt.exe' + Type: Sideloading - Path: '%SYSTEM32%\dsregcmd.exe' Type: Sideloading - Path: '%SYSTEM32%\easinvoker.exe' @@ -40,12 +52,18 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\getmac.exe' Type: Sideloading + - Path: '%SYSTEM32%\gpfixup.exe' + Type: Sideloading - Path: '%SYSTEM32%\gpresult.exe' Type: Sideloading - Path: '%SYSTEM32%\ie4uinit.exe' Type: Sideloading + - Path: '%SYSTEM32%\klist.exe' + Type: Sideloading - Path: '%SYSTEM32%\ksetup.exe' Type: Sideloading + - Path: '%SYSTEM32%\ldifde.exe' + Type: Sideloading - Path: '%SYSTEM32%\mshta.exe' Type: Sideloading - Path: '%SYSTEM32%\mstsc.exe' @@ -54,11 +72,15 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\net1.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading - Path: '%SYSTEM32%\netplwiz.exe' Type: Sideloading AutoElevate: true - Path: '%SYSTEM32%\nltest.exe' Type: Sideloading + - Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\openfiles.exe' Type: Sideloading - Path: '%SYSTEM32%\query.exe' @@ -69,12 +91,26 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\raserver.exe' Type: Sideloading + - Path: '%SYSTEM32%\redircmp.exe' + Type: Sideloading + - Path: '%SYSTEM32%\redirusr.exe' + Type: Sideloading - Path: '%SYSTEM32%\rekeywiz.exe' Type: Sideloading + - Path: '%SYSTEM32%\rendom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading - Path: '%SYSTEM32%\reset.exe' Type: Sideloading + - Path: '%SYSTEM32%\runas.exe' + Type: Sideloading - Path: '%SYSTEM32%\rwinsta.exe' Type: Sideloading + - Path: '%SYSTEM32%\setspn.exe' + Type: Sideloading + - Path: '%SYSTEM32%\shrpubw.exe' + Type: Sideloading - Path: '%SYSTEM32%\spaceagent.exe' Type: Sideloading - Path: '%SYSTEM32%\systempropertiesadvanced.exe' @@ -101,6 +137,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 04761d0c32afb7945a1247ef0ac1413a9a2c6477 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 11:50:02 -0600 Subject: [PATCH 052/156] Updated msctfmonitor.yml --- yml/microsoft/built-in/msctfmonitor.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/msctfmonitor.yml b/yml/microsoft/built-in/msctfmonitor.yml index 55809a83..b5768a56 100644 --- a/yml/microsoft/built-in/msctfmonitor.yml +++ b/yml/microsoft/built-in/msctfmonitor.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\credwiz.exe' + Type: Sideloading - Path: '%SYSTEM32%\ctfmon.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 5692ee789162789f4c9f63ba0e3d978581d3b14e Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:03:07 -0600 Subject: [PATCH 053/156] Updated dsrole.yml --- yml/microsoft/built-in/dsrole.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/yml/microsoft/built-in/dsrole.yml b/yml/microsoft/built-in/dsrole.yml index 57b9a719..3d086491 100644 --- a/yml/microsoft/built-in/dsrole.yml +++ b/yml/microsoft/built-in/dsrole.yml @@ -11,15 +11,29 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\cipher.exe' Type: Sideloading +- Path: '%SYSTEM32%\csvde.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading +- Path: '%SYSTEM32%\dsdbutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\efsui.exe' Type: Sideloading +- Path: '%SYSTEM32%\gpfixup.exe' + Type: Sideloading - Path: '%SYSTEM32%\net1.exe' Type: Sideloading +- Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading - Path: '%SYSTEM32%\netplwiz.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\rekeywiz.exe' Type: Sideloading +- Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading - Path: '%SYSTEM32%\systempropertiesadvanced.exe' Type: Sideloading AutoElevate: true @@ -35,6 +49,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" From 41f32ad7a0be90cde105e23a64e3db56f75af42e Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:09:26 -0600 Subject: [PATCH 054/156] Updated logoncli.yml --- yml/microsoft/built-in/logoncli.yml | 30 +++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/yml/microsoft/built-in/logoncli.yml b/yml/microsoft/built-in/logoncli.yml index f08ce1cb..6c15ec1b 100644 --- a/yml/microsoft/built-in/logoncli.yml +++ b/yml/microsoft/built-in/logoncli.yml @@ -15,34 +15,60 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\chgport.exe' Type: Sideloading + - Path: '%SYSTEM32%\csvde.exe' + Type: Sideloading - Path: '%SYSTEM32%\devicecensus.exe' Type: Sideloading - Path: '%SYSTEM32%\djoin.exe' Type: Sideloading + - Path: '%SYSTEM32%\dsacls.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsmgmt.exe' + Type: Sideloading - Path: '%SYSTEM32%\dsregcmd.exe' Type: Sideloading - Path: '%SYSTEM32%\efsui.exe' Type: Sideloading + - Path: '%SYSTEM32%\gpfixup.exe' + Type: Sideloading - Path: '%SYSTEM32%\gpresult.exe' Type: Sideloading + - Path: '%SYSTEM32%\klist.exe' + Type: Sideloading - Path: '%SYSTEM32%\ksetup.exe' Type: Sideloading + - Path: '%SYSTEM32%\ldifde.exe' + Type: Sideloading - Path: '%SYSTEM32%\net1.exe' Type: Sideloading - Path: '%SYSTEM32%\nltest.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\query.exe' Type: Sideloading - Path: '%SYSTEM32%\quser.exe' Type: Sideloading - Path: '%SYSTEM32%\qwinsta.exe' Type: Sideloading + - Path: '%SYSTEM32%\redircmp.exe' + Type: Sideloading + - Path: '%SYSTEM32%\redirusr.exe' + Type: Sideloading - Path: '%SYSTEM32%\rekeywiz.exe' Type: Sideloading + - Path: '%SYSTEM32%\rendom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading - Path: '%SYSTEM32%\reset.exe' Type: Sideloading - Path: '%SYSTEM32%\rwinsta.exe' Type: Sideloading + - Path: '%SYSTEM32%\setspn.exe' + Type: Sideloading - Path: '%SYSTEM32%\systempropertiesadvanced.exe' Type: Sideloading AutoElevate: true @@ -57,6 +83,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From a7103be8b0de3de017cb1fc7bfc88f4ff9dc08d3 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:11:35 -0600 Subject: [PATCH 055/156] Updated propsys.yml --- yml/microsoft/built-in/propsys.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/microsoft/built-in/propsys.yml b/yml/microsoft/built-in/propsys.yml index fb697b07..a657328c 100644 --- a/yml/microsoft/built-in/propsys.yml +++ b/yml/microsoft/built-in/propsys.yml @@ -18,6 +18,8 @@ VulnerableExecutables: - Path: '%SYSTEM32%\computerdefaults.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\customshellhost.exe' + Type: Sideloading - Path: '%SYSTEM32%\dpiscaling.exe' Type: Sideloading - Path: '%SYSTEM32%\dsregcmd.exe' @@ -51,6 +53,8 @@ VulnerableExecutables: - Path: '%SYSTEM32%\printui.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading - Path: '%SYSTEM32%\quickassist.exe' Type: Sideloading - Path: '%SYSTEM32%\rdpclip.exe' @@ -139,6 +143,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" From efb80eb3ef2a169282933f62aa4601fa170bd414 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:13:57 -0600 Subject: [PATCH 056/156] Updated twinapi.yml --- yml/microsoft/built-in/twinapi.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/twinapi.yml b/yml/microsoft/built-in/twinapi.yml index e9128797..0153c5b1 100644 --- a/yml/microsoft/built-in/twinapi.yml +++ b/yml/microsoft/built-in/twinapi.yml @@ -7,6 +7,8 @@ ExpectedLocations: - '%SYSTEM32%' - '%SYSWOW64%' VulnerableExecutables: +- Path: '%SYSTEM32%\dataexchangehost.exe' + Type: Sideloading - Path: '%SYSTEM32%\rasphone.exe' Type: Environment Variable Variable: SYSTEMROOT @@ -27,6 +29,10 @@ VulnerableExecutables: Variable: SYSTEMROOT Resources: - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" From 3371179bb98d653feba88badc5cf55c5e349934f Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:15:19 -0600 Subject: [PATCH 057/156] Updated dcomp.yml --- yml/microsoft/built-in/dcomp.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/dcomp.yml b/yml/microsoft/built-in/dcomp.yml index 34ed7e99..2d47f9cc 100644 --- a/yml/microsoft/built-in/dcomp.yml +++ b/yml/microsoft/built-in/dcomp.yml @@ -7,12 +7,18 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\dataexchangehost.exe' + Type: Sideloading - Path: '%SYSTEM32%\gamepanel.exe' Type: Sideloading - Path: '%SYSTEM32%\quickassist.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From e6e6592a920329f0bb3f8af7ab15c8edbc32f585 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:17:16 -0600 Subject: [PATCH 058/156] Updated dnsapi.yml --- yml/microsoft/built-in/dnsapi.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/yml/microsoft/built-in/dnsapi.yml b/yml/microsoft/built-in/dnsapi.yml index 8d35526e..e6754389 100644 --- a/yml/microsoft/built-in/dnsapi.yml +++ b/yml/microsoft/built-in/dnsapi.yml @@ -9,20 +9,34 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\checknetisolation.exe' Type: Sideloading + - Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dnscmd.exe' + Type: Sideloading - Path: '%SYSTEM32%\edpcleanup.exe' Type: Sideloading + - Path: '%SYSTEM32%\ipconfig.exe' + Type: Sideloading - Path: '%SYSTEM32%\lpremove.exe' Type: Sideloading - Path: '%SYSTEM32%\msdtc.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading - Path: '%SYSTEM32%\nslookup.exe' Type: Sideloading + - Path: '%SYSTEM32%\rendom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading - Path: '%SYSTEM32%\securityhealthservice.exe' Type: Sideloading - Path: '%SYSTEM32%\setupugc.exe' Type: Sideloading + - Path: '%SYSTEM32%\sihclient.exe' + Type: Sideloading - Path: '%SYSTEM32%\spoolsv.exe' Type: Sideloading - Path: '%SYSTEM32%\sppextcomobj.exe' @@ -41,6 +55,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 1dc79d93ba6b82cdee1b1636090ec650ee1a1add Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:20:05 -0600 Subject: [PATCH 059/156] Updated iphlpapi.yml --- yml/microsoft/built-in/iphlpapi.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/yml/microsoft/built-in/iphlpapi.yml b/yml/microsoft/built-in/iphlpapi.yml index 0399b070..6dcf0e30 100644 --- a/yml/microsoft/built-in/iphlpapi.yml +++ b/yml/microsoft/built-in/iphlpapi.yml @@ -13,6 +13,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\datausagelivetiletask.exe' Type: Sideloading +- Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\devicecensus.exe' Type: Sideloading - Path: '%SYSTEM32%\dnscacheugc.exe' @@ -24,6 +26,10 @@ VulnerableExecutables: - Path: '%SYSTEM32%\fxsunatd.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\ipconfig.exe' + Type: Sideloading +- Path: '%SYSTEM32%\mousocoreworker.exe' + Type: Sideloading - Path: '%SYSTEM32%\msra.exe' Type: Sideloading - Path: '%SYSTEM32%\mstsc.exe' @@ -80,8 +86,12 @@ Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables - https://twitter.com/SBousseaden/status/1550903546916311043 +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' - Name: Samir Twitter: '@sbousseaden' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" From edb523c359f91b30af461544b79f8113230a1828 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:21:17 -0600 Subject: [PATCH 060/156] Updated dsparse.yml --- yml/microsoft/built-in/dsparse.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/yml/microsoft/built-in/dsparse.yml b/yml/microsoft/built-in/dsparse.yml index 87ce4f4e..a5d7fe63 100644 --- a/yml/microsoft/built-in/dsparse.yml +++ b/yml/microsoft/built-in/dsparse.yml @@ -7,10 +7,22 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\dmcertinst.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rendom.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 1fd82a922c5bff93a77ef58f1a07f83e5cdbf127 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:28:43 -0600 Subject: [PATCH 061/156] Updated srvcli.yml --- yml/microsoft/built-in/srvcli.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/yml/microsoft/built-in/srvcli.yml b/yml/microsoft/built-in/srvcli.yml index 9907bfa3..a27cb91f 100644 --- a/yml/microsoft/built-in/srvcli.yml +++ b/yml/microsoft/built-in/srvcli.yml @@ -13,6 +13,10 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\chgport.exe' Type: Sideloading + - Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsdbutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\driverquery.exe' Type: Sideloading - Path: '%SYSTEM32%\eventcreate.exe' @@ -27,6 +31,10 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\net1.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\openfiles.exe' Type: Sideloading - Path: '%SYSTEM32%\query.exe' @@ -39,6 +47,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\rwinsta.exe' Type: Sideloading + - Path: '%SYSTEM32%\shrpubw.exe' + Type: Sideloading - Path: '%SYSTEM32%\spaceagent.exe' Type: Sideloading - Path: '%SYSTEM32%\systempropertiesadvanced.exe' @@ -58,6 +68,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From a226a957cae6d2d4751d0563566a015cf4be771d Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:31:54 -0600 Subject: [PATCH 062/156] Updated ntdsapi.yml --- yml/microsoft/built-in/ntdsapi.yml | 34 ++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/yml/microsoft/built-in/ntdsapi.yml b/yml/microsoft/built-in/ntdsapi.yml index 784c96a8..1184cb3b 100644 --- a/yml/microsoft/built-in/ntdsapi.yml +++ b/yml/microsoft/built-in/ntdsapi.yml @@ -11,14 +11,48 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\cipher.exe' Type: Sideloading + - Path: '%SYSTEM32%\dcdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dnscmd.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsacls.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsadd.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsdbutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsget.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsmgmt.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsquery.exe' + Type: Sideloading - Path: '%SYSTEM32%\gpresult.exe' Type: Sideloading + - Path: '%SYSTEM32%\licmgr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading - Path: '%SYSTEM32%\nltest.exe' Type: Sideloading + - Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rendom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\repadmin.exe' + Type: Sideloading + - Path: '%SYSTEM32%\setspn.exe' + Type: Sideloading - Path: '%SYSTEM32%\w32tm.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From fac4e50bc45a58914f07c9684e4cc7d66ca7cc53 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:32:51 -0600 Subject: [PATCH 063/156] Updated sxshared.yml --- yml/microsoft/built-in/sxshared.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/sxshared.yml b/yml/microsoft/built-in/sxshared.yml index 8e4ff7fc..8515c2b5 100644 --- a/yml/microsoft/built-in/sxshared.yml +++ b/yml/microsoft/built-in/sxshared.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\defrag.exe' + Type: Sideloading - Path: '%SYSTEM32%\dfrgui.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 5a00a16bd33f00f9ab8f1cf612f6eab2d2fc1ab9 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:37:30 -0600 Subject: [PATCH 064/156] Added umpdc.yml --- yml/microsoft/built-in/umpdc.yml | 33 ++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 yml/microsoft/built-in/umpdc.yml diff --git a/yml/microsoft/built-in/umpdc.yml b/yml/microsoft/built-in/umpdc.yml new file mode 100644 index 00000000..fe1072e4 --- /dev/null +++ b/yml/microsoft/built-in/umpdc.yml @@ -0,0 +1,33 @@ +--- +Name: umpdc.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\deviceenroller.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dmcertinst.exe' + Type: Sideloading + - Path: '%SYSTEM32%\iesettingsync.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mousocoreworker.exe' + Type: Sideloading + - Path: '%SYSTEM32%\netevtfwdr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\omadmclient.exe' + Type: Sideloading + - Path: '%SYSTEM32%\settingsynchost.exe' + Type: Sideloading + - Path: '%SYSTEM32%\usocoreworker.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wifitask.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 7caaaecd01b5d30d01cc1955aaffb46766124b31 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:45:24 -0600 Subject: [PATCH 065/156] Added mfc42u.yml --- yml/microsoft/built-in/mfc42u.yml | 41 +++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 yml/microsoft/built-in/mfc42u.yml diff --git a/yml/microsoft/built-in/mfc42u.yml b/yml/microsoft/built-in/mfc42u.yml new file mode 100644 index 00000000..91f314a4 --- /dev/null +++ b/yml/microsoft/built-in/mfc42u.yml @@ -0,0 +1,41 @@ +--- +Name: mfc42u.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\devicepairingwizard.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dirquota.exe' + Type: Sideloading + - Path: '%SYSTEM32%\eudcedit.exe' + Type: Sideloading + - Path: '%SYSTEM32%\filescrn.exe' + Type: Sideloading + - Path: '%SYSTEM32%\ldp.exe' + Type: Sideloading + - Path: '%SYSTEM32%\msconfig.exe' + Type: Sideloading + - Path: '%SYSTEM32%\msinfo32.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mspaint.exe' + Type: Sideloading + - Path: '%SYSTEM32%\nlbmgr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\shrpubw.exe' + Type: Sideloading + - Path: '%SYSTEM32%\storrept.exe' + Type: Sideloading + - Path: '%SYSTEM32%\verifiergui.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wfs.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From c0cf90666b18b0e9a760bd042d6a3cd700bab0bc Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:47:58 -0600 Subject: [PATCH 066/156] Updated resutils.yml --- yml/microsoft/built-in/resutils.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/resutils.yml b/yml/microsoft/built-in/resutils.yml index e2f17d21..bc95c81a 100644 --- a/yml/microsoft/built-in/resutils.yml +++ b/yml/microsoft/built-in/resutils.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\dfsdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\msdtc.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 24c74d7489d31b002fa7e9c22c1df7ee4c430f29 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:50:13 -0600 Subject: [PATCH 067/156] Added framedynos.yml --- yml/microsoft/built-in/framedynos.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 yml/microsoft/built-in/framedynos.yml diff --git a/yml/microsoft/built-in/framedynos.yml b/yml/microsoft/built-in/framedynos.yml new file mode 100644 index 00000000..7a9ef35e --- /dev/null +++ b/yml/microsoft/built-in/framedynos.yml @@ -0,0 +1,25 @@ +--- +Name: framedynos.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\driverquery.exe' + Type: Sideloading + - Path: '%SYSTEM32%\getmac.exe' + Type: Sideloading + - Path: '%SYSTEM32%\openfiles.exe' + Type: Sideloading + - Path: '%SYSTEM32%\taskkill.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From decc04ceb9079fbcc1a150581de364a0de561f7d Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:51:22 -0600 Subject: [PATCH 068/156] Updated fltlib.yml --- yml/microsoft/built-in/fltlib.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/microsoft/built-in/fltlib.yml b/yml/microsoft/built-in/fltlib.yml index b6c22bce..f743bda6 100644 --- a/yml/microsoft/built-in/fltlib.yml +++ b/yml/microsoft/built-in/fltlib.yml @@ -15,6 +15,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\dpiscaling.exe' Type: Sideloading + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\fltmc.exe' Type: Sideloading - Path: '%SYSTEM32%\psr.exe' From 670936b2e9fd4411026ee740c7346f822b9e370e Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:57:16 -0600 Subject: [PATCH 069/156] Updated esent.yml --- yml/microsoft/built-in/esent.yml | 10 ++++++++++ yml/microsoft/built-in/fltlib.yml | 4 ++++ 2 files changed, 14 insertions(+) diff --git a/yml/microsoft/built-in/esent.yml b/yml/microsoft/built-in/esent.yml index 5cec9b8c..b541da84 100644 --- a/yml/microsoft/built-in/esent.yml +++ b/yml/microsoft/built-in/esent.yml @@ -7,12 +7,22 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading + - Path: '%SYSTEM32%\dsdbutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\esentutl.exe' Type: Sideloading - Path: '%SYSTEM32%\tieringengineservice.exe' Type: Sideloading + - Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/fltlib.yml b/yml/microsoft/built-in/fltlib.yml index f743bda6..aa9e2b59 100644 --- a/yml/microsoft/built-in/fltlib.yml +++ b/yml/microsoft/built-in/fltlib.yml @@ -38,6 +38,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 347e485f8c1bb501989e493cd5ab5272bc5244e0 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 12:59:19 -0600 Subject: [PATCH 070/156] Updated clusapi.yml --- yml/microsoft/built-in/clusapi.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/clusapi.yml b/yml/microsoft/built-in/clusapi.yml index ece682f5..1554fc9d 100644 --- a/yml/microsoft/built-in/clusapi.yml +++ b/yml/microsoft/built-in/clusapi.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\dfsrdiag.exe' + Type: Sideloading - Path: '%SYSTEM32%\msdtc.exe' Type: Sideloading - Path: '%SYSTEM32%\tieringengineservice.exe' @@ -15,6 +17,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From d40c5f5b42abaea6548d7ef5fba566b9b8fd6f38 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 13:00:23 -0600 Subject: [PATCH 071/156] Updated dismapi.yml --- yml/microsoft/built-in/dismapi.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/dismapi.yml b/yml/microsoft/built-in/dismapi.yml index 053b6060..f6b2c57b 100644 --- a/yml/microsoft/built-in/dismapi.yml +++ b/yml/microsoft/built-in/dismapi.yml @@ -11,6 +11,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\deploymentcsphelper.exe' Type: Sideloading + - Path: '%SYSTEM32%\directxdatabaseupdater.exe' + Type: Sideloading - Path: '%SYSTEM32%\hvsievaluator.exe' Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' @@ -23,6 +25,10 @@ VulnerableExecutables: AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From b2dd331b3dda12ca5ff0d876673f532ce3fec35a Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 13:02:17 -0600 Subject: [PATCH 072/156] Added srmtrace.dll --- yml/microsoft/built-in/srmtrace.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 yml/microsoft/built-in/srmtrace.yml diff --git a/yml/microsoft/built-in/srmtrace.yml b/yml/microsoft/built-in/srmtrace.yml new file mode 100644 index 00000000..cbdcd237 --- /dev/null +++ b/yml/microsoft/built-in/srmtrace.yml @@ -0,0 +1,21 @@ +--- +Name: srmtrace.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\dirquota.exe' + Type: Sideloading + - Path: '%SYSTEM32%\filescrn.exe' + Type: Sideloading + - Path: '%SYSTEM32%\storrept.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 7f6de9e01ed31d4fcab55be06cf96f8c11e78936 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 13:28:41 -0600 Subject: [PATCH 073/156] Added netprovfw.dll --- yml/microsoft/built-in/netprovfw.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/netprovfw.yml diff --git a/yml/microsoft/built-in/netprovfw.yml b/yml/microsoft/built-in/netprovfw.yml new file mode 100644 index 00000000..34e5bf3f --- /dev/null +++ b/yml/microsoft/built-in/netprovfw.yml @@ -0,0 +1,17 @@ +--- +Name: netprovfw.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\djoin.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 26fc0d3ec51c441d361a49000162629f0f89502e Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 13:31:32 -0600 Subject: [PATCH 074/156] Added windows.ui.immersive.dll --- .../built-in/windows.ui.immersive.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 yml/microsoft/built-in/windows.ui.immersive.yml diff --git a/yml/microsoft/built-in/windows.ui.immersive.yml b/yml/microsoft/built-in/windows.ui.immersive.yml new file mode 100644 index 00000000..d102758d --- /dev/null +++ b/yml/microsoft/built-in/windows.ui.immersive.yml @@ -0,0 +1,19 @@ +--- +Name: windows.ui.immersive.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\dmnotificationbroker.exe' + Type: Sideloading + - Path: '%SYSTEM32%\phoneactivate.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 8307981540fd4d6cb40276cba0f329135be27567 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 13:32:50 -0600 Subject: [PATCH 075/156] Updated samlib.yml --- yml/microsoft/built-in/samlib.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/microsoft/built-in/samlib.yml b/yml/microsoft/built-in/samlib.yml index 7424f312..f2fb159b 100644 --- a/yml/microsoft/built-in/samlib.yml +++ b/yml/microsoft/built-in/samlib.yml @@ -9,14 +9,22 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\dpapimig.exe' Type: Sideloading + - Path: '%SYSTEM32%\dsmgmt.exe' + Type: Sideloading - Path: '%SYSTEM32%\easinvoker.exe' Type: Sideloading AutoElevate: true - Path: '%SYSTEM32%\netplwiz.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\ntdsutil.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From e0ddd59b5aa63e8aca181221e8660de36ff540de Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 13:34:15 -0600 Subject: [PATCH 076/156] Updated atl.yml --- yml/microsoft/built-in/atl.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/yml/microsoft/built-in/atl.yml b/yml/microsoft/built-in/atl.yml index 19047a6b..a3490d01 100644 --- a/yml/microsoft/built-in/atl.yml +++ b/yml/microsoft/built-in/atl.yml @@ -7,6 +7,10 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\dsquery.exe' + Type: Sideloading + - Path: '%SYSTEM32%\filescrn.exe' + Type: Sideloading - Path: '%SYSTEM32%\msconfig.exe' Type: Sideloading AutoElevate: true @@ -20,6 +24,8 @@ VulnerableExecutables: AutoElevate: true - Path: '%SYSTEM32%\quickassist.exe' Type: Sideloading + - Path: '%SYSTEM32%\storrept.exe' + Type: Sideloading - Path: '%SYSTEM32%\vds.exe' Type: Sideloading - Path: '%SYSTEM32%\vdsldr.exe' @@ -30,6 +36,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 2ba95d2d27e3a0123bb82c9c7326a1ebe4c97730 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 13:37:53 -0600 Subject: [PATCH 077/156] Added dsprop.yml --- yml/microsoft/built-in/dsprop.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/dsprop.yml diff --git a/yml/microsoft/built-in/dsprop.yml b/yml/microsoft/built-in/dsprop.yml new file mode 100644 index 00000000..c438366c --- /dev/null +++ b/yml/microsoft/built-in/dsprop.yml @@ -0,0 +1,17 @@ +--- +Name: version.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\dsquery.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From a1318ac4228bd2419d4235d675632bff2ae9ef80 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 13:40:28 -0600 Subject: [PATCH 078/156] Added dsprop.yml --- yml/microsoft/built-in/dsprop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/microsoft/built-in/dsprop.yml b/yml/microsoft/built-in/dsprop.yml index c438366c..fd023751 100644 --- a/yml/microsoft/built-in/dsprop.yml +++ b/yml/microsoft/built-in/dsprop.yml @@ -1,5 +1,5 @@ --- -Name: version.dll +Name: dsprop.dll Author: Chris Spehn Created: 2021-08-16 Vendor: Microsoft From 29fc21123d2e678b586b9ed29dec120b4ac0ec45 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 13:43:06 -0600 Subject: [PATCH 079/156] Added coreuicomponents.yml --- yml/microsoft/built-in/coreuicomponents.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/coreuicomponents.yml diff --git a/yml/microsoft/built-in/coreuicomponents.yml b/yml/microsoft/built-in/coreuicomponents.yml new file mode 100644 index 00000000..06a0917c --- /dev/null +++ b/yml/microsoft/built-in/coreuicomponents.yml @@ -0,0 +1,17 @@ +--- +Name: coreuicomponents.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\dwm.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 3fed8882bac790b9a2c5131389a808286e61bf8d Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 13:46:31 -0600 Subject: [PATCH 080/156] Updated xmllite.yml --- yml/microsoft/built-in/xmllite.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/yml/microsoft/built-in/xmllite.yml b/yml/microsoft/built-in/xmllite.yml index 26d9f1b3..dfc4cb48 100644 --- a/yml/microsoft/built-in/xmllite.yml +++ b/yml/microsoft/built-in/xmllite.yml @@ -19,10 +19,14 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\dmomacpmo.exe' Type: Sideloading +- Path: '%SYSTEM32%\dxcap.exe' + Type: Sideloading - Path: '%SYSTEM32%\dxpserver.exe' Type: Sideloading - Path: '%SYSTEM32%\mdmdiagnosticstool.exe' Type: Sideloading +- Path: '%SYSTEM32%\mousocoreworker.exe' + Type: Sideloading - Path: '%SYSTEM32%\musnotificationux.exe' Type: Sideloading - Path: '%SYSTEM32%\musnotifyicon.exe' @@ -38,10 +42,16 @@ VulnerableExecutables: - Path: '%SYSTEM32%\systemreset.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\tracerpt.exe' + Type: Sideloading - Path: '%SYSTEM32%\upfc.exe' Type: Sideloading - Path: '%SYSTEM32%\usocoreworker.exe' Type: Sideloading +- Path: '%SYSTEM32%\vsgraphicsdesktopengine.exe' + Type: Sideloading +- Path: '%SYSTEM32%\vsgraphicsremoteengine.exe' + Type: Sideloading - Path: '%SYSTEM32%\wbengine.exe' Type: Sideloading - Path: '%SYSTEM32%\compmgmtlauncher.exe' @@ -59,6 +69,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" From 36f0b025eabf85c3917114a3f330b89942b2d46e Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 13:48:54 -0600 Subject: [PATCH 081/156] Updated d3d11.yml --- yml/microsoft/built-in/d3d11.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/yml/microsoft/built-in/d3d11.yml b/yml/microsoft/built-in/d3d11.yml index 2440c2ab..730fce1c 100644 --- a/yml/microsoft/built-in/d3d11.yml +++ b/yml/microsoft/built-in/d3d11.yml @@ -11,6 +11,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\dwm.exe' Type: Sideloading + - Path: '%SYSTEM32%\dxcap.exe' + Type: Sideloading - Path: '%SYSTEM32%\dxgiadaptercache.exe' Type: Sideloading - Path: '%SYSTEM32%\gamepanel.exe' @@ -25,11 +27,19 @@ VulnerableExecutables: - Path: '%SYSTEM32%\taskmgr.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\vsgraphicsdesktopengine.exe' + Type: Sideloading + - Path: '%SYSTEM32%\vsgraphicsremoteengine.exe' + Type: Sideloading - Path: '%SYSTEM32%\winsat.exe' Type: Sideloading AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 52892b8cc802dfbed688124813f9f41c12af2049 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 13:55:04 -0600 Subject: [PATCH 082/156] Updated dbghelp.yml --- yml/microsoft/built-in/dbghelp.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/yml/microsoft/built-in/dbghelp.yml b/yml/microsoft/built-in/dbghelp.yml index 0b050589..109e007a 100644 --- a/yml/microsoft/built-in/dbghelp.yml +++ b/yml/microsoft/built-in/dbghelp.yml @@ -21,10 +21,16 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\bootim.exe' Type: Sideloading +- Path: '%SYSTEM32%\dxcap.exe' + Type: Sideloading - Path: '%SYSTEM32%\taskkill.exe' Type: Sideloading - Path: '%SYSTEM32%\tasklist.exe' Type: Sideloading +- Path: '%SYSTEM32%\tracerpt.exe' + Type: Sideloading +- Path: '%SYSTEM32%\werfault.exe' + Type: Sideloading - Path: '%SYSTEM32%\bdehdcfg.exe' Type: Environment Variable Variable: WINDIR @@ -61,6 +67,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" From 91c90aa4b70490dffdc6dadc354387084bf9e166 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 13:59:23 -0600 Subject: [PATCH 083/156] Updated d2d1.yml --- yml/microsoft/built-in/d2d1.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/yml/microsoft/built-in/d2d1.yml b/yml/microsoft/built-in/d2d1.yml index b6aefc10..48a901c5 100644 --- a/yml/microsoft/built-in/d2d1.yml +++ b/yml/microsoft/built-in/d2d1.yml @@ -11,12 +11,22 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\dwm.exe' Type: Sideloading + - Path: '%SYSTEM32%\eoaexperiences.exe' + Type: Sideloading - Path: '%SYSTEM32%\gamepanel.exe' Type: Sideloading - Path: '%SYSTEM32%\quickassist.exe' Type: Sideloading + - Path: '%SYSTEM32%\vsgraphicsdesktopengine.exe' + Type: Sideloading + - Path: '%SYSTEM32%\vsgraphicsremoteengine.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 5b408436efe407dd35ebc18d95beef18cffeb383 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 14:01:59 -0600 Subject: [PATCH 084/156] Added powrprof.yml --- yml/microsoft/built-in/powrprof.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 yml/microsoft/built-in/powrprof.yml diff --git a/yml/microsoft/built-in/powrprof.yml b/yml/microsoft/built-in/powrprof.yml new file mode 100644 index 00000000..5a8cdd36 --- /dev/null +++ b/yml/microsoft/built-in/powrprof.yml @@ -0,0 +1,23 @@ +--- +Name: powrprof.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\fsquirt.exe' + Type: Sideloading + - Path: '%SYSTEM32%\msinfo32.exe' + Type: Sideloading + - Path: '%SYSTEM32%\printfilterpipelinesvc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\sfc.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From a54db95e6f506ee6a89b9f209b139585413e9de7 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 14:09:33 -0600 Subject: [PATCH 085/156] Added credui.yml --- yml/microsoft/built-in/credui.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/yml/microsoft/built-in/credui.yml b/yml/microsoft/built-in/credui.yml index ca71ad2b..04514841 100644 --- a/yml/microsoft/built-in/credui.yml +++ b/yml/microsoft/built-in/credui.yml @@ -11,8 +11,16 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\fxssvc.exe' Type: Sideloading +- Path: '%SYSTEM32%\gpfixup.exe' + Type: Sideloading +- Path: '%SYSTEM32%\licmgr.exe' + Type: Sideloading - Path: '%SYSTEM32%\mstsc.exe' Type: Sideloading +- Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading +- Path: '%SYSTEM32%\nlbmgr.exe' + Type: Sideloading - Path: '%SYSTEM32%\perfmon.exe' Type: Sideloading AutoElevate: true @@ -20,6 +28,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\rpcping.exe' Type: Sideloading +- Path: '%SYSTEM32%\runas.exe' + Type: Sideloading - Path: '%SYSTEM32%\systempropertiesadvanced.exe' Type: Sideloading AutoElevate: true @@ -38,6 +48,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" From 0ff90c265392ab95394a333bf02358ef1e2192e4 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 14:31:24 -0600 Subject: [PATCH 086/156] Added gpapi.yml --- yml/microsoft/built-in/gpapi.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/gpapi.yml diff --git a/yml/microsoft/built-in/gpapi.yml b/yml/microsoft/built-in/gpapi.yml new file mode 100644 index 00000000..b1028e82 --- /dev/null +++ b/yml/microsoft/built-in/gpapi.yml @@ -0,0 +1,17 @@ +--- +Name: gpapi.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\gpapi.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 8071554d1aa1963ea7beb57fbbaa16b747ec900d Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 14:37:57 -0600 Subject: [PATCH 087/156] Added configmanager2.yml --- yml/microsoft/built-in/configmanager2.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 yml/microsoft/built-in/configmanager2.yml diff --git a/yml/microsoft/built-in/configmanager2.yml b/yml/microsoft/built-in/configmanager2.yml new file mode 100644 index 00000000..708ce46a --- /dev/null +++ b/yml/microsoft/built-in/configmanager2.yml @@ -0,0 +1,16 @@ +--- +Name: gpapi.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\hvsievaluator.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 3b8ee12ae249289dab8c43b34c46f527807b8e68 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 14:39:18 -0600 Subject: [PATCH 088/156] Updated configmanager2.yml --- yml/microsoft/built-in/configmanager2.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yml/microsoft/built-in/configmanager2.yml b/yml/microsoft/built-in/configmanager2.yml index 708ce46a..52a50fb4 100644 --- a/yml/microsoft/built-in/configmanager2.yml +++ b/yml/microsoft/built-in/configmanager2.yml @@ -1,5 +1,5 @@ --- -Name: gpapi.dll +Name: configmanager2.dll Author: Chris Spehn Created: 2021-08-16 Vendor: Microsoft From cd2a0810e18b45310e30aa94f9b72f35d7ab7769 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Tue, 16 Aug 2022 15:05:21 -0600 Subject: [PATCH 089/156] Updated cabinet.yml --- yml/microsoft/built-in/cabinet.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/yml/microsoft/built-in/cabinet.yml b/yml/microsoft/built-in/cabinet.yml index 128139a9..4964f084 100644 --- a/yml/microsoft/built-in/cabinet.yml +++ b/yml/microsoft/built-in/cabinet.yml @@ -17,6 +17,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\extrac32.exe' Type: Sideloading +- Path: '%SYSTEM32%\iesettingsync.exe' + Type: Sideloading - Path: '%SYSTEM32%\licensingdiag.exe' Type: Sideloading - Path: '%SYSTEM32%\makecab.exe' @@ -32,6 +34,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\plasrv.exe' Type: Sideloading +- Path: '%SYSTEM32%\pnputil.exe' + Type: Sideloading - Path: '%SYSTEM32%\reagentc.exe' Type: Sideloading - Path: '%SYSTEM32%\recdisc.exe' @@ -44,6 +48,8 @@ VulnerableExecutables: - Path: '%SYSTEM32%\sdclt.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\sihclient.exe' + Type: Sideloading - Path: '%SYSTEM32%\systemreset.exe' Type: Sideloading AutoElevate: true @@ -61,6 +67,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" From 0c55dbb5c3d7c89fa8d8ad273f12df4ef9eddfe3 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:30:41 -0600 Subject: [PATCH 090/156] Added winscard.yml --- yml/microsoft/built-in/winscard.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 yml/microsoft/built-in/winscard.yml diff --git a/yml/microsoft/built-in/winscard.yml b/yml/microsoft/built-in/winscard.yml new file mode 100644 index 00000000..47718a96 --- /dev/null +++ b/yml/microsoft/built-in/winscard.yml @@ -0,0 +1,21 @@ +--- +Name: winscard.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\immersivetpmvscmgrsvr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\rmttpmvscmgrsvr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\tpmvscmgrsvr.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 7215b153643cc745c2d403f71d8a6c9090ddc64f Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:32:31 -0600 Subject: [PATCH 091/156] Updated newdev.yml --- yml/microsoft/built-in/newdev.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/newdev.yml b/yml/microsoft/built-in/newdev.yml index 480754c1..20c8dc60 100644 --- a/yml/microsoft/built-in/newdev.yml +++ b/yml/microsoft/built-in/newdev.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\infdefaultinstall.exe' + Type: Sideloading - Path: '%SYSTEM32%\pnpunattend.exe' Type: Sideloading - Path: '%SYSTEM32%\systemsettingsadminflows.exe' @@ -14,6 +16,10 @@ VulnerableExecutables: AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From f8e8ddf34cada174b9bf9587c4d3b7e3aca085bf Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:34:19 -0600 Subject: [PATCH 092/156] Added drvstore.yml --- yml/microsoft/built-in/drvstore.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 yml/microsoft/built-in/drvstore.yml diff --git a/yml/microsoft/built-in/drvstore.yml b/yml/microsoft/built-in/drvstore.yml new file mode 100644 index 00000000..df6874da --- /dev/null +++ b/yml/microsoft/built-in/drvstore.yml @@ -0,0 +1,19 @@ +--- +Name: drvstore.dll +Author: Chris Spehn +Created: 2021-08-16 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\infdefaultinstall.exe' + Type: Sideloading + - Path: '%SYSTEM32%\securityhealthservice.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From f1dd9b842e5b78714e23795317b1dad0466dba88 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:36:54 -0600 Subject: [PATCH 093/156] Updated ktmw32.yml --- yml/microsoft/built-in/ktmw32.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/ktmw32.yml b/yml/microsoft/built-in/ktmw32.yml index d445ea26..d32115ce 100644 --- a/yml/microsoft/built-in/ktmw32.yml +++ b/yml/microsoft/built-in/ktmw32.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\ktmutil.exe' + Type: Sideloading - Path: '%SYSTEM32%\msdtc.exe' Type: Sideloading - Path: '%SYSTEM32%\mstsc.exe' @@ -22,6 +24,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 6ebc809cbc88056d5b3fecf64701e67c7801df16 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:38:13 -0600 Subject: [PATCH 094/156] Updated dhcpcsvc.yml --- yml/microsoft/built-in/dhcpcsvc.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/dhcpcsvc.yml b/yml/microsoft/built-in/dhcpcsvc.yml index 8f7aefd5..2a6f058b 100644 --- a/yml/microsoft/built-in/dhcpcsvc.yml +++ b/yml/microsoft/built-in/dhcpcsvc.yml @@ -7,12 +7,18 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\ipconfig.exe' + Type: Sideloading - Path: '%SYSTEM32%\netiougc.exe' Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 93e221df3e35af7af9b3762beb97e190d7763eb2 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:39:06 -0600 Subject: [PATCH 095/156] Updated dhcpcsvc6.yml --- yml/microsoft/built-in/dhcpcsvc6.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/dhcpcsvc6.yml b/yml/microsoft/built-in/dhcpcsvc6.yml index 3e7627d4..8c18b3fc 100644 --- a/yml/microsoft/built-in/dhcpcsvc6.yml +++ b/yml/microsoft/built-in/dhcpcsvc6.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\ipconfig.exe' + Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 5b5cf5fef9dde6ee451887199b9bff18fec1c7a7 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:40:11 -0600 Subject: [PATCH 096/156] Updated wlanapi.yml --- yml/microsoft/built-in/wlanapi.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/wlanapi.yml b/yml/microsoft/built-in/wlanapi.yml index d54cf6f3..e57fee75 100644 --- a/yml/microsoft/built-in/wlanapi.yml +++ b/yml/microsoft/built-in/wlanapi.yml @@ -7,12 +7,18 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\legacynetuxhost.exe' + Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading - Path: '%SYSTEM32%\wifitask.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From d514b6a6f8b19676cf91791eb7101a0610771439 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:43:05 -0600 Subject: [PATCH 097/156] Added lrwizdll.yml --- yml/microsoft/built-in/drvstore.yml | 2 +- yml/microsoft/built-in/lrwizdll.yml | 16 ++++++++++++++++ yml/microsoft/built-in/winscard.yml | 2 +- 3 files changed, 18 insertions(+), 2 deletions(-) create mode 100644 yml/microsoft/built-in/lrwizdll.yml diff --git a/yml/microsoft/built-in/drvstore.yml b/yml/microsoft/built-in/drvstore.yml index df6874da..0b158bcc 100644 --- a/yml/microsoft/built-in/drvstore.yml +++ b/yml/microsoft/built-in/drvstore.yml @@ -1,7 +1,7 @@ --- Name: drvstore.dll Author: Chris Spehn -Created: 2021-08-16 +Created: 2021-08-17 Vendor: Microsoft ExpectedLocations: - "%SYSTEM32%" diff --git a/yml/microsoft/built-in/lrwizdll.yml b/yml/microsoft/built-in/lrwizdll.yml new file mode 100644 index 00000000..b8d63388 --- /dev/null +++ b/yml/microsoft/built-in/lrwizdll.yml @@ -0,0 +1,16 @@ +--- +Name: lrwizdll.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\licmgr.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/winscard.yml b/yml/microsoft/built-in/winscard.yml index 47718a96..22c00361 100644 --- a/yml/microsoft/built-in/winscard.yml +++ b/yml/microsoft/built-in/winscard.yml @@ -1,7 +1,7 @@ --- Name: winscard.dll Author: Chris Spehn -Created: 2021-08-16 +Created: 2021-08-17 Vendor: Microsoft ExpectedLocations: - "%SYSTEM32%" From ff2d0e60c3ec2893d0e43adcc88824bb8f2d1671 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:44:42 -0600 Subject: [PATCH 098/156] Added lockhostingframework.yml --- yml/microsoft/built-in/lockhostingframework.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 yml/microsoft/built-in/lockhostingframework.yml diff --git a/yml/microsoft/built-in/lockhostingframework.yml b/yml/microsoft/built-in/lockhostingframework.yml new file mode 100644 index 00000000..19dcfed6 --- /dev/null +++ b/yml/microsoft/built-in/lockhostingframework.yml @@ -0,0 +1,16 @@ +--- +Name: lockhostingframework.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\lockapphost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 58f25298d4cd75b3232a1ee06e271db864d5ae13 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:46:05 -0600 Subject: [PATCH 099/156] Added mbaexmlparser.yml --- yml/microsoft/built-in/mbaexmlparser.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 yml/microsoft/built-in/mbaexmlparser.yml diff --git a/yml/microsoft/built-in/mbaexmlparser.yml b/yml/microsoft/built-in/mbaexmlparser.yml new file mode 100644 index 00000000..3b82e93f --- /dev/null +++ b/yml/microsoft/built-in/mbaexmlparser.yml @@ -0,0 +1,16 @@ +--- +Name: mbaexmlparser.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\mbaeparsertask.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 02e448bbc63c52de437d6dc13fb90b28fd4bbf06 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:47:12 -0600 Subject: [PATCH 100/156] Updated mobilenetworking.yml --- yml/microsoft/built-in/mobilenetworking.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/mobilenetworking.yml b/yml/microsoft/built-in/mobilenetworking.yml index 05c966d5..2c143d10 100644 --- a/yml/microsoft/built-in/mobilenetworking.yml +++ b/yml/microsoft/built-in/mobilenetworking.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\mbaeparsertask.exe' + Type: Sideloading - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From adfaa319bfc84027ce55f3a4c9be4bbdbc8b805a Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:48:30 -0600 Subject: [PATCH 101/156] Added batmeter.yml --- yml/microsoft/built-in/batmeter.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/batmeter.yml diff --git a/yml/microsoft/built-in/batmeter.yml b/yml/microsoft/built-in/batmeter.yml new file mode 100644 index 00000000..4d8d7115 --- /dev/null +++ b/yml/microsoft/built-in/batmeter.yml @@ -0,0 +1,17 @@ +--- +Name: batmeter.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\mblctr.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 5f1531a316bd040a97a4fa82473a2d92538fbf0a Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:52:53 -0600 Subject: [PATCH 102/156] Updated dwmapi.yml --- yml/microsoft/built-in/dwmapi.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/yml/microsoft/built-in/dwmapi.yml b/yml/microsoft/built-in/dwmapi.yml index 85811c6e..4d2d01f9 100644 --- a/yml/microsoft/built-in/dwmapi.yml +++ b/yml/microsoft/built-in/dwmapi.yml @@ -21,18 +21,30 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\lockscreencontentserver.exe' Type: Sideloading + - Path: '%SYSTEM32%\mblctr.exe' + Type: Sideloading - Path: '%SYSTEM32%\osk.exe' Type: Sideloading + - Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading - Path: '%SYSTEM32%\rdpclip.exe' Type: Sideloading - Path: '%SYSTEM32%\rdpshell.exe' Type: Sideloading - Path: '%SYSTEM32%\rdvghelper.exe' Type: Sideloading + - Path: '%SYSTEM32%\sndvol.exe' + Type: Sideloading + - Path: '%SYSTEM32%\snippingtool.exe' + Type: Sideloading - Path: '%SYSTEM32%\wmpdmc.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 1d922a0836b56247461037033117bde7d564dd49 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:55:33 -0600 Subject: [PATCH 103/156] Updated winmm.yml --- yml/microsoft/built-in/winmm.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/yml/microsoft/built-in/winmm.yml b/yml/microsoft/built-in/winmm.yml index ea2daf14..915819a4 100644 --- a/yml/microsoft/built-in/winmm.yml +++ b/yml/microsoft/built-in/winmm.yml @@ -7,12 +7,30 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\mblctr.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mspaint.exe' + Type: Sideloading + - Path: '%SYSTEM32%\mstsc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\osk.exe' + Type: Sideloading + - Path: '%SYSTEM32%\presentationsettings.exe' + Type: Sideloading + - Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wfs.exe' + Type: Sideloading - Path: '%SYSTEM32%\winsat.exe' Type: Sideloading AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://securelist.com/wastedlocker-technical-analysis/97944/ + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 409a889e934d60153b41edb3ec2326e28f6b0d80 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:56:55 -0600 Subject: [PATCH 104/156] Updated omadmapi.yml --- yml/microsoft/built-in/omadmapi.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/microsoft/built-in/omadmapi.yml b/yml/microsoft/built-in/omadmapi.yml index 1ca58584..f425034d 100644 --- a/yml/microsoft/built-in/omadmapi.yml +++ b/yml/microsoft/built-in/omadmapi.yml @@ -17,16 +17,24 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\hvsievaluator.exe' Type: Sideloading + - Path: '%SYSTEM32%\mdmagent.exe' + Type: Sideloading - Path: '%SYSTEM32%\mdmappinstaller.exe' Type: Sideloading - Path: '%SYSTEM32%\mdmdiagnosticstool.exe' Type: Sideloading - Path: '%SYSTEM32%\omadmclient.exe' Type: Sideloading + - Path: '%SYSTEM32%\omadmrpc.exe' + Type: Sideloading - Path: '%SYSTEM32%\usocoreworker.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 96456446ebb3700129f021667f90e3df2de6b412 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 07:58:08 -0600 Subject: [PATCH 105/156] Updated dmenrollengine.yml --- yml/microsoft/built-in/dmenrollengine.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/dmenrollengine.yml b/yml/microsoft/built-in/dmenrollengine.yml index 7970a04f..09aad8a1 100644 --- a/yml/microsoft/built-in/dmenrollengine.yml +++ b/yml/microsoft/built-in/dmenrollengine.yml @@ -11,6 +11,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\dmomacpmo.exe' Type: Sideloading + - Path: '%SYSTEM32%\mdmagent.exe' + Type: Sideloading - Path: '%SYSTEM32%\mdmappinstaller.exe' Type: Sideloading - Path: '%SYSTEM32%\mdmdiagnosticstool.exe' @@ -21,6 +23,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From f9805e81a243f579cb2dc9b033457fff73931ab6 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:00:15 -0600 Subject: [PATCH 106/156] Added edgeiso.yml --- yml/microsoft/built-in/edgeiso.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 yml/microsoft/built-in/edgeiso.yml diff --git a/yml/microsoft/built-in/edgeiso.yml b/yml/microsoft/built-in/edgeiso.yml new file mode 100644 index 00000000..c87e34e8 --- /dev/null +++ b/yml/microsoft/built-in/edgeiso.yml @@ -0,0 +1,23 @@ +--- +Name: edgeiso.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\microsoftedgebchost.exe' + Type: Sideloading + - Path: '%SYSTEM32%\microsoftedgecp.exe' + Type: Sideloading + - Path: '%SYSTEM32%\microsoftedgedevtools.exe' + Type: Sideloading + - Path: '%SYSTEM32%\microsoftedgesh.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 3f7b3ce3d0fac8a557c8700bc7904f14476bd4a4 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:01:36 -0600 Subject: [PATCH 107/156] Updated dmiso8601utils.yml --- yml/microsoft/built-in/dmiso8601utils.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/dmiso8601utils.yml b/yml/microsoft/built-in/dmiso8601utils.yml index ee054a39..fec8f7ed 100644 --- a/yml/microsoft/built-in/dmiso8601utils.yml +++ b/yml/microsoft/built-in/dmiso8601utils.yml @@ -9,12 +9,18 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\mdmdiagnosticstool.exe' Type: Sideloading + - Path: '%SYSTEM32%\mousocoreworker.exe' + Type: Sideloading - Path: '%SYSTEM32%\omadmclient.exe' Type: Sideloading - Path: '%SYSTEM32%\usocoreworker.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 6975d43612c9c6af54ace2a3a4165be648515280 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:02:44 -0600 Subject: [PATCH 108/156] Updated updatepolicy.yml --- yml/microsoft/built-in/updatepolicy.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/microsoft/built-in/updatepolicy.yml b/yml/microsoft/built-in/updatepolicy.yml index 9de1250f..4f05967b 100644 --- a/yml/microsoft/built-in/updatepolicy.yml +++ b/yml/microsoft/built-in/updatepolicy.yml @@ -7,14 +7,22 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\mousocoreworker.exe' + Type: Sideloading - Path: '%SYSTEM32%\musnotification.exe' Type: Sideloading - Path: '%SYSTEM32%\musnotificationux.exe' Type: Sideloading + - Path: '%SYSTEM32%\usoclient.exe' + Type: Sideloading - Path: '%SYSTEM32%\usocoreworker.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 8f932f09d14f9f2ace5353a4726cc664fb6a05bb Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:03:47 -0600 Subject: [PATCH 109/156] Updated wkscli.yml --- yml/microsoft/built-in/wkscli.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/microsoft/built-in/wkscli.yml b/yml/microsoft/built-in/wkscli.yml index aa1f0789..d7ed2fb6 100644 --- a/yml/microsoft/built-in/wkscli.yml +++ b/yml/microsoft/built-in/wkscli.yml @@ -25,6 +25,10 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\net1.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading + - Path: '%SYSTEM32%\secinit.exe' + Type: Sideloading - Path: '%SYSTEM32%\systempropertiesadvanced.exe' Type: Sideloading AutoElevate: true @@ -35,6 +39,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From a7afef4d88b1e359170d6026a018c42520b196de Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:04:59 -0600 Subject: [PATCH 110/156] Updated dmcmnutils.yml --- yml/microsoft/built-in/dmcmnutils.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/dmcmnutils.yml b/yml/microsoft/built-in/dmcmnutils.yml index b9fa5d60..d168c309 100644 --- a/yml/microsoft/built-in/dmcmnutils.yml +++ b/yml/microsoft/built-in/dmcmnutils.yml @@ -25,6 +25,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\mdmdiagnosticstool.exe' Type: Sideloading + - Path: '%SYSTEM32%\mousocoreworker.exe' + Type: Sideloading - Path: '%SYSTEM32%\musnotificationux.exe' Type: Sideloading - Path: '%SYSTEM32%\musnotifyicon.exe' @@ -37,6 +39,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From d0265711bea1dcaa0f6cbebd380f8819cd3ac5be Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:06:01 -0600 Subject: [PATCH 111/156] Added netjoin.yml --- yml/microsoft/built-in/netjoin.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/netjoin.yml diff --git a/yml/microsoft/built-in/netjoin.yml b/yml/microsoft/built-in/netjoin.yml new file mode 100644 index 00000000..cdb77fc6 --- /dev/null +++ b/yml/microsoft/built-in/netjoin.yml @@ -0,0 +1,17 @@ +--- +Name: netjoin.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From a1674bab3b79243f4a8df69634be50c910d2dbf3 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:06:57 -0600 Subject: [PATCH 112/156] Updated cryptdll.yml --- yml/microsoft/built-in/cryptdll.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/cryptdll.yml b/yml/microsoft/built-in/cryptdll.yml index d38188b7..7a54b06e 100644 --- a/yml/microsoft/built-in/cryptdll.yml +++ b/yml/microsoft/built-in/cryptdll.yml @@ -9,8 +9,14 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\at.exe' Type: Sideloading + - Path: '%SYSTEM32%\netdom.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 34bb29b2de838df1e27666e71b74e081ea793163 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:08:03 -0600 Subject: [PATCH 113/156] Added icmp.yml --- yml/microsoft/built-in/icmp.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/icmp.yml diff --git a/yml/microsoft/built-in/icmp.yml b/yml/microsoft/built-in/icmp.yml new file mode 100644 index 00000000..bd5a93bb --- /dev/null +++ b/yml/microsoft/built-in/icmp.yml @@ -0,0 +1,17 @@ +--- +Name: icmp.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\nlbmgr.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 39b8dd2a285cbd1bcf4d1c80c95aefae87639998 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:09:15 -0600 Subject: [PATCH 114/156] Added coredplus.yml --- yml/microsoft/built-in/coredplus.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 yml/microsoft/built-in/coredplus.yml diff --git a/yml/microsoft/built-in/coredplus.yml b/yml/microsoft/built-in/coredplus.yml new file mode 100644 index 00000000..8de90149 --- /dev/null +++ b/yml/microsoft/built-in/coredplus.yml @@ -0,0 +1,16 @@ +--- +Name: coredplus.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\omadmclient.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 4200452b715106e44da6d5cc740246679b8ff4b6 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:10:28 -0600 Subject: [PATCH 115/156] Updated dmpushproxy.yml --- yml/microsoft/built-in/dmpushproxy.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/dmpushproxy.yml b/yml/microsoft/built-in/dmpushproxy.yml index 5883f522..7b2f7f66 100644 --- a/yml/microsoft/built-in/dmpushproxy.yml +++ b/yml/microsoft/built-in/dmpushproxy.yml @@ -9,8 +9,14 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\dmcfghost.exe' Type: Sideloading + - Path: '%SYSTEM32%\omadmrpc.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From bdfbc22967aa8714538e2cb5977a966cccdd6c7a Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:11:28 -0600 Subject: [PATCH 116/156] Updated pcaui.yml --- yml/microsoft/built-in/pcaui.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/pcaui.yml b/yml/microsoft/built-in/pcaui.yml index 9061943f..9730c0e0 100644 --- a/yml/microsoft/built-in/pcaui.yml +++ b/yml/microsoft/built-in/pcaui.yml @@ -7,10 +7,16 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\pcaui.exe' + Type: Sideloading - Path: '%SYSTEM32%\pcalua.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From bd04d69a207325b438d4f0828a4a98a934347711 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:12:26 -0600 Subject: [PATCH 117/156] Updated slc.yml --- yml/microsoft/built-in/slc.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/microsoft/built-in/slc.yml b/yml/microsoft/built-in/slc.yml index a64cdf25..b5c826e5 100644 --- a/yml/microsoft/built-in/slc.yml +++ b/yml/microsoft/built-in/slc.yml @@ -13,8 +13,16 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\packageinspector.exe' Type: Sideloading + - Path: '%SYSTEM32%\phoneactivate.exe' + Type: Sideloading + - Path: '%SYSTEM32%\slui.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From fb4922c3024e624f6190ac9a86905144a344fefb Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:13:56 -0600 Subject: [PATCH 118/156] Added sppcext.yml --- yml/microsoft/built-in/sppcext.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/sppcext.yml diff --git a/yml/microsoft/built-in/sppcext.yml b/yml/microsoft/built-in/sppcext.yml new file mode 100644 index 00000000..d0bf8bfd --- /dev/null +++ b/yml/microsoft/built-in/sppcext.yml @@ -0,0 +1,17 @@ +--- +Name: sppcext.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\phoneactivate.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From eee71e6cc81c73e28f64974b2155492a99551db6 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:15:08 -0600 Subject: [PATCH 119/156] Updated devobj.yml --- yml/microsoft/built-in/devobj.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/microsoft/built-in/devobj.yml b/yml/microsoft/built-in/devobj.yml index 92032d4c..4ddd3145 100644 --- a/yml/microsoft/built-in/devobj.yml +++ b/yml/microsoft/built-in/devobj.yml @@ -43,6 +43,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\osk.exe' Type: Sideloading + - Path: '%SYSTEM32%\pnputil.exe' + Type: Sideloading - Path: '%SYSTEM32%\rdpclip.exe' Type: Sideloading - Path: '%SYSTEM32%\recover.exe' @@ -51,12 +53,18 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\tabcal.exe' Type: Sideloading + - Path: '%SYSTEM32%\vsgraphicsdesktopengine.exe' + Type: Sideloading - Path: '%SYSTEM32%\vssvc.exe' Type: Sideloading - Path: '%SYSTEM32%\workfolders.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 5d05f27d9b5e0926999864a9e5d9fd2dae4bcb0a Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:16:19 -0600 Subject: [PATCH 120/156] Added prntvpt.yml --- yml/microsoft/built-in/prntvpt.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/prntvpt.yml diff --git a/yml/microsoft/built-in/prntvpt.yml b/yml/microsoft/built-in/prntvpt.yml new file mode 100644 index 00000000..17b699aa --- /dev/null +++ b/yml/microsoft/built-in/prntvpt.yml @@ -0,0 +1,17 @@ +--- +Name: prntvpt.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\printfilterpipelinesvc.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From aeba40c52438eeed9c5677a9f2060e3109482e2b Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:17:21 -0600 Subject: [PATCH 121/156] Added xpsservices.yml --- yml/microsoft/built-in/xpsservices.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/xpsservices.yml diff --git a/yml/microsoft/built-in/xpsservices.yml b/yml/microsoft/built-in/xpsservices.yml new file mode 100644 index 00000000..90254e66 --- /dev/null +++ b/yml/microsoft/built-in/xpsservices.yml @@ -0,0 +1,17 @@ +--- +Name: xpsservices.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\printfilterpipelinesvc.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From cda2987d8363b09d42a89404a9fa2fa9bcdddbce Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:18:19 -0600 Subject: [PATCH 122/156] Added dmcommandlineutils.yml --- yml/microsoft/built-in/dmcommandlineutils.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/dmcommandlineutils.yml diff --git a/yml/microsoft/built-in/dmcommandlineutils.yml b/yml/microsoft/built-in/dmcommandlineutils.yml new file mode 100644 index 00000000..d1f225ac --- /dev/null +++ b/yml/microsoft/built-in/dmcommandlineutils.yml @@ -0,0 +1,17 @@ +--- +Name: dmcommandlineutils.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\provtool.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 978b60ddfd3f3116f733f9badaf240544f8f1404 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:19:20 -0600 Subject: [PATCH 123/156] Added proximitycommon.yml --- yml/microsoft/built-in/proximitycommon.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/proximitycommon.yml diff --git a/yml/microsoft/built-in/proximitycommon.yml b/yml/microsoft/built-in/proximitycommon.yml new file mode 100644 index 00000000..df0abdb8 --- /dev/null +++ b/yml/microsoft/built-in/proximitycommon.yml @@ -0,0 +1,17 @@ +--- +Name: proximitycommon.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From ed1607c885a52006409b0a246e1dda796cd9cb7a Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:20:29 -0600 Subject: [PATCH 124/156] Added proximityservicepal.yml --- yml/microsoft/built-in/proximityservicepal.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 yml/microsoft/built-in/proximityservicepal.yml diff --git a/yml/microsoft/built-in/proximityservicepal.yml b/yml/microsoft/built-in/proximityservicepal.yml new file mode 100644 index 00000000..ed3c31e5 --- /dev/null +++ b/yml/microsoft/built-in/proximityservicepal.yml @@ -0,0 +1,16 @@ +--- +Name: proximityservicepal.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From bc4c86fd0478bdc43efdde54fab9965ed6d3a46f Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:21:45 -0600 Subject: [PATCH 125/156] Updated deviceassociation.yml --- yml/microsoft/built-in/deviceassociation.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/deviceassociation.yml b/yml/microsoft/built-in/deviceassociation.yml index b98adee1..6bf3fd80 100644 --- a/yml/microsoft/built-in/deviceassociation.yml +++ b/yml/microsoft/built-in/deviceassociation.yml @@ -9,8 +9,14 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\eduprintprov.exe' Type: Sideloading + - Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 446f8d3772d64fc400977513fe7e2a3d44b83c6f Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:22:47 -0600 Subject: [PATCH 126/156] Added opcservices.yml --- yml/microsoft/built-in/opcservices.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/opcservices.yml diff --git a/yml/microsoft/built-in/opcservices.yml b/yml/microsoft/built-in/opcservices.yml new file mode 100644 index 00000000..7eb43882 --- /dev/null +++ b/yml/microsoft/built-in/opcservices.yml @@ -0,0 +1,17 @@ +--- +Name: opcservices.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\proximityuxhost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From a320f7199956f12b67e2448a9960e1637bad97d1 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:24:13 -0600 Subject: [PATCH 127/156] Updated winsta.yml --- yml/microsoft/built-in/winsta.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/microsoft/built-in/winsta.yml b/yml/microsoft/built-in/winsta.yml index 52762a72..d19ad97d 100644 --- a/yml/microsoft/built-in/winsta.yml +++ b/yml/microsoft/built-in/winsta.yml @@ -25,10 +25,14 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\quser.exe' Type: Sideloading + - Path: '%SYSTEM32%\qprocess.exe' + Type: Sideloading - Path: '%SYSTEM32%\qwinsta.exe' Type: Sideloading - Path: '%SYSTEM32%\rdpclip.exe' Type: Sideloading + - Path: '%SYSTEM32%\rdpinput.exe' + Type: Sideloading - Path: '%SYSTEM32%\rdpsa.exe' Type: Sideloading - Path: '%SYSTEM32%\rdpsauachelper.exe' @@ -67,6 +71,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 8d11aa59b887fa0b3b425277feabb42bf6c94042 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:28:00 -0600 Subject: [PATCH 128/156] Updated utildll.yml --- yml/microsoft/built-in/utildll.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/utildll.yml b/yml/microsoft/built-in/utildll.yml index dfc63f1e..bbc2d452 100644 --- a/yml/microsoft/built-in/utildll.yml +++ b/yml/microsoft/built-in/utildll.yml @@ -17,6 +17,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\quser.exe' Type: Sideloading + - Path: '%SYSTEM32%\qprocess.exe' + Type: Sideloading - Path: '%SYSTEM32%\qwinsta.exe' Type: Sideloading - Path: '%SYSTEM32%\reset.exe' @@ -29,6 +31,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From e63d456f58d594b5af887aadfd2dcabfb23f3e10 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:29:01 -0600 Subject: [PATCH 129/156] Added rasdlg.yml --- yml/microsoft/built-in/rasdlg.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/rasdlg.yml diff --git a/yml/microsoft/built-in/rasdlg.yml b/yml/microsoft/built-in/rasdlg.yml new file mode 100644 index 00000000..efba09a7 --- /dev/null +++ b/yml/microsoft/built-in/rasdlg.yml @@ -0,0 +1,17 @@ +--- +Name: rasdlg.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\rasautou.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From b3b2818ec670a1e98923449473cf2ca76d1ec351 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:29:51 -0600 Subject: [PATCH 130/156] Updated rtutils.yml --- yml/microsoft/built-in/rtutils.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/rtutils.yml b/yml/microsoft/built-in/rtutils.yml index 8f4570a7..61f11433 100644 --- a/yml/microsoft/built-in/rtutils.yml +++ b/yml/microsoft/built-in/rtutils.yml @@ -15,8 +15,14 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\rasdial.exe' Type: Sideloading + - Path: '%SYSTEM32%\rasphone.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 745275746ef9bb49a8da58d1d77c81b375e05e92 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:31:03 -0600 Subject: [PATCH 131/156] Added unattend.yml --- yml/microsoft/built-in/unattend.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 yml/microsoft/built-in/unattend.yml diff --git a/yml/microsoft/built-in/unattend.yml b/yml/microsoft/built-in/unattend.yml new file mode 100644 index 00000000..3bcbf77c --- /dev/null +++ b/yml/microsoft/built-in/unattend.yml @@ -0,0 +1,16 @@ +--- +Name: unattend.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 1e1f4fad29bcb5de741ad5fd7677ca0954e13b8e Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:32:17 -0600 Subject: [PATCH 132/156] Updated wimgapi.yml --- yml/microsoft/built-in/wimgapi.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/wimgapi.yml b/yml/microsoft/built-in/wimgapi.yml index d848e0cf..0417e25b 100644 --- a/yml/microsoft/built-in/wimgapi.yml +++ b/yml/microsoft/built-in/wimgapi.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' Type: Sideloading - Path: '%SYSTEM32%\systemreset.exe' @@ -17,8 +19,12 @@ VulnerableExecutables: Resources: - https://www.hexacorn.com/blog/2015/02/23/beyond-good-ol-run-key-part-28/ - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" - Name: Adam Twitter: "@hexacorn" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From d07d8c1ce56a41639095e32968f85eba5cf7f47d Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:33:26 -0600 Subject: [PATCH 133/156] Updated reagent.yml --- yml/microsoft/built-in/reagent.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/reagent.yml b/yml/microsoft/built-in/reagent.yml index 13495bd3..ece9facf 100644 --- a/yml/microsoft/built-in/reagent.yml +++ b/yml/microsoft/built-in/reagent.yml @@ -14,6 +14,8 @@ VulnerableExecutables: - Path: '%SYSTEM32%\recdisc.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\relpost.exe' Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' @@ -26,6 +28,10 @@ VulnerableExecutables: AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 1e4255e8f20a7016f1c7c4cf1a36527bc4a29353 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:34:17 -0600 Subject: [PATCH 134/156] Updated wdscore.yml --- yml/microsoft/built-in/wdscore.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/wdscore.yml b/yml/microsoft/built-in/wdscore.yml index 549e5cc6..da9ee09b 100644 --- a/yml/microsoft/built-in/wdscore.yml +++ b/yml/microsoft/built-in/wdscore.yml @@ -23,6 +23,8 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\pnpunattend.exe' Type: Sideloading + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' Type: Sideloading - Path: '%SYSTEM32%\setupugc.exe' @@ -36,6 +38,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 5fb6550073f749354ae31f927d5a8710b9180083 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:35:21 -0600 Subject: [PATCH 135/156] Updated wofutil.yml --- yml/microsoft/built-in/wofutil.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/wofutil.yml b/yml/microsoft/built-in/wofutil.yml index b98c0b27..7a2d113d 100644 --- a/yml/microsoft/built-in/wofutil.yml +++ b/yml/microsoft/built-in/wofutil.yml @@ -7,6 +7,8 @@ ExpectedLocations: - "%SYSTEM32%" - "%SYSWOW64%" VulnerableExecutables: + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' Type: Sideloading - Path: '%SYSTEM32%\systemreset.exe' @@ -14,6 +16,10 @@ VulnerableExecutables: AutoElevate: true Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 50dc909f11737a984c9792b5c3e2da7b0162e48c Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:37:32 -0600 Subject: [PATCH 136/156] Updated winhttp.yml --- yml/microsoft/built-in/winhttp.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/yml/microsoft/built-in/winhttp.yml b/yml/microsoft/built-in/winhttp.yml index 3d089aab..c8567f47 100644 --- a/yml/microsoft/built-in/winhttp.yml +++ b/yml/microsoft/built-in/winhttp.yml @@ -34,10 +34,16 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\pacjsworker.exe' Type: Sideloading + - Path: '%SYSTEM32%\recoverydrive.exe' + Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' Type: Sideloading - Path: '%SYSTEM32%\rpcping.exe' Type: Sideloading + - Path: '%SYSTEM32%\sgrmlpac.exe' + Type: Sideloading + - Path: '%SYSTEM32%\sihclient.exe' + Type: Sideloading - Path: '%SYSTEM32%\systemreset.exe' Type: Sideloading AutoElevate: true @@ -45,6 +51,10 @@ VulnerableExecutables: Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 0bac8688ac628f8756cb032f1283af3f24b3cbd0 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:38:19 -0600 Subject: [PATCH 137/156] Updated rmclient.yml --- yml/microsoft/built-in/rmclient.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/rmclient.yml b/yml/microsoft/built-in/rmclient.yml index 2282bf67..c101dd3e 100644 --- a/yml/microsoft/built-in/rmclient.yml +++ b/yml/microsoft/built-in/rmclient.yml @@ -9,8 +9,14 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\netsh.exe' Type: Sideloading + - Path: '%SYSTEM32%\runtimebroker.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From e6df0ed0eea2e2865ca716a9df503da12fe9dc13 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:39:27 -0600 Subject: [PATCH 138/156] Updated tquery.yml --- yml/microsoft/built-in/tquery.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/tquery.yml b/yml/microsoft/built-in/tquery.yml index 60d2c1c1..b180b118 100644 --- a/yml/microsoft/built-in/tquery.yml +++ b/yml/microsoft/built-in/tquery.yml @@ -9,8 +9,14 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\searchfilterhost.exe' Type: Sideloading + - Path: '%SYSTEM32%\searchprotocolhost.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 2f4abb97ad5a2979c445e8e12a6ca42f18107a3f Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:40:23 -0600 Subject: [PATCH 139/156] Added winbio.yml --- yml/microsoft/built-in/winbio.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/winbio.yml diff --git a/yml/microsoft/built-in/winbio.yml b/yml/microsoft/built-in/winbio.yml new file mode 100644 index 00000000..d546e69c --- /dev/null +++ b/yml/microsoft/built-in/winbio.yml @@ -0,0 +1,17 @@ +--- +Name: winbio.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\securityhealthservice.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From f33de7943772663aa283b45ed7033465473a9944 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:41:18 -0600 Subject: [PATCH 140/156] Added playsndsrv.yml --- yml/microsoft/built-in/playsndsrv.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/playsndsrv.yml diff --git a/yml/microsoft/built-in/playsndsrv.yml b/yml/microsoft/built-in/playsndsrv.yml new file mode 100644 index 00000000..37c2ccf8 --- /dev/null +++ b/yml/microsoft/built-in/playsndsrv.yml @@ -0,0 +1,17 @@ +--- +Name: playsndsrv.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\sethc.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 9c63d238dddd216c7e4d36650acb08f94126f50d Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:42:29 -0600 Subject: [PATCH 141/156] Updated oleacc.yml --- yml/microsoft/built-in/oleacc.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/microsoft/built-in/oleacc.yml b/yml/microsoft/built-in/oleacc.yml index 469f26bb..c66d60ca 100644 --- a/yml/microsoft/built-in/oleacc.yml +++ b/yml/microsoft/built-in/oleacc.yml @@ -26,12 +26,20 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\psr.exe' Type: Sideloading + - Path: '%SYSTEM32%\sethc.exe' + Type: Sideloading + - Path: '%SYSTEM32%\snippingtool.exe' + Type: Sideloading - Path: '%SYSTEM32%\utilman.exe' Type: Sideloading - Path: '%SYSTEM32%\wmpdmc.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 042a16d81e8a34d516b575e75a6ecb81b6975db8 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:43:26 -0600 Subject: [PATCH 142/156] Updated tbs.yml --- yml/microsoft/built-in/tbs.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/microsoft/built-in/tbs.yml b/yml/microsoft/built-in/tbs.yml index 4d07b05e..5aeb1927 100644 --- a/yml/microsoft/built-in/tbs.yml +++ b/yml/microsoft/built-in/tbs.yml @@ -13,11 +13,19 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\resetengine.exe' Type: Sideloading + - Path: '%SYSTEM32%\sgrmbroker.exe' + Type: Sideloading - Path: '%SYSTEM32%\systemreset.exe' Type: Sideloading AutoElevate: true + - Path: '%SYSTEM32%\tpmtool.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From fd7576aa678df9708edae86e37811fa9fe59c98c Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:46:12 -0600 Subject: [PATCH 143/156] Added aclui.yml --- yml/microsoft/built-in/aclui.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/aclui.yml diff --git a/yml/microsoft/built-in/aclui.yml b/yml/microsoft/built-in/aclui.yml new file mode 100644 index 00000000..d18f643b --- /dev/null +++ b/yml/microsoft/built-in/aclui.yml @@ -0,0 +1,17 @@ +--- +Name: aclui.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\shrpubw.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 0ebe926fd25d74ed47368fda18fe806620204887 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:47:34 -0600 Subject: [PATCH 144/156] Updated coremessaging.yml --- yml/microsoft/built-in/coremessaging.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/coremessaging.yml b/yml/microsoft/built-in/coremessaging.yml index 8ce9f9cb..98630a31 100644 --- a/yml/microsoft/built-in/coremessaging.yml +++ b/yml/microsoft/built-in/coremessaging.yml @@ -9,8 +9,14 @@ ExpectedLocations: VulnerableExecutables: - Path: '%SYSTEM32%\dwm.exe' Type: Sideloading + - Path: '%SYSTEM32%\sihost.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From ced366517d6c32fba71f6958f0fb5b279ce8644b Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:48:27 -0600 Subject: [PATCH 145/156] Updated msdrm.yml --- yml/microsoft/built-in/msdrm.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/msdrm.yml b/yml/microsoft/built-in/msdrm.yml index 5c825837..40f179a1 100644 --- a/yml/microsoft/built-in/msdrm.yml +++ b/yml/microsoft/built-in/msdrm.yml @@ -15,8 +15,14 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\rmactivate_isv.exe' Type: Sideloading + - Path: '%SYSTEM32%\snippingtool.exe' + Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 87c8f4f53beabb2cc6136ee5a68310a7a4c1a6e0 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:49:49 -0600 Subject: [PATCH 146/156] Added pkeyhelper.yml --- yml/microsoft/built-in/pkeyhelper.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 yml/microsoft/built-in/pkeyhelper.yml diff --git a/yml/microsoft/built-in/pkeyhelper.yml b/yml/microsoft/built-in/pkeyhelper.yml new file mode 100644 index 00000000..99600441 --- /dev/null +++ b/yml/microsoft/built-in/pkeyhelper.yml @@ -0,0 +1,16 @@ +--- +Name: pkeyhelper.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" +VulnerableExecutables: + - Path: '%SYSTEM32%\sppsvc.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 72f8df87cc88caecf0e0b8d5e96087771f3ad9e6 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:51:17 -0600 Subject: [PATCH 147/156] Added winsync.yml --- yml/microsoft/built-in/winsync.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/winsync.yml diff --git a/yml/microsoft/built-in/winsync.yml b/yml/microsoft/built-in/winsync.yml new file mode 100644 index 00000000..6ef2cc5c --- /dev/null +++ b/yml/microsoft/built-in/winsync.yml @@ -0,0 +1,17 @@ +--- +Name: winsync.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\synchost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 37a603066cf0ef7a72695d751109118fbd9d356e Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:52:38 -0600 Subject: [PATCH 148/156] Added dxcore.yml --- yml/microsoft/built-in/dxcore.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/dxcore.yml diff --git a/yml/microsoft/built-in/dxcore.yml b/yml/microsoft/built-in/dxcore.yml new file mode 100644 index 00000000..cba131cc --- /dev/null +++ b/yml/microsoft/built-in/dxcore.yml @@ -0,0 +1,17 @@ +--- +Name: dxcore.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\taskmgr.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 662f99fe0e8d75d95c30c7115a93059e239308e0 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:54:16 -0600 Subject: [PATCH 149/156] Added security.yml --- yml/microsoft/built-in/security.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/security.yml diff --git a/yml/microsoft/built-in/security.yml b/yml/microsoft/built-in/security.yml new file mode 100644 index 00000000..b12cfbe0 --- /dev/null +++ b/yml/microsoft/built-in/security.yml @@ -0,0 +1,17 @@ +--- +Name: security.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\telnet.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 509494c04ecf05879fdfaafe2af4217d3d90b416 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:55:30 -0600 Subject: [PATCH 150/156] Added tpmcoreprovisioning.yml --- yml/microsoft/built-in/tpmcoreprovisioning.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/tpmcoreprovisioning.yml diff --git a/yml/microsoft/built-in/tpmcoreprovisioning.yml b/yml/microsoft/built-in/tpmcoreprovisioning.yml new file mode 100644 index 00000000..b2d4026a --- /dev/null +++ b/yml/microsoft/built-in/tpmcoreprovisioning.yml @@ -0,0 +1,17 @@ +--- +Name: tpmcoreprovisioning.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\tpmtool.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 2e4d32b3cb179f68e98a42c54197228d4a6aea49 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:57:01 -0600 Subject: [PATCH 151/156] Updated pdh.yml --- yml/microsoft/built-in/pdh.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/yml/microsoft/built-in/pdh.yml b/yml/microsoft/built-in/pdh.yml index 3c09f918..ad76a06e 100644 --- a/yml/microsoft/built-in/pdh.yml +++ b/yml/microsoft/built-in/pdh.yml @@ -14,6 +14,8 @@ VulnerableExecutables: - Path: '%SYSTEM32%\taskmgr.exe' Type: Sideloading AutoElevate: true +- Path: '%SYSTEM32%\tracerpt.exe' + Type: Sideloading - Path: '%SYSTEM32%\typeperf.exe' Type: Sideloading - Path: '%SYSTEM32%\logman.exe' @@ -22,6 +24,10 @@ VulnerableExecutables: Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows - https://wietze.github.io/blog/save-the-environment-variables +- https://securityintelligence.com/posts/windows-features-dll-sideloading/ +- https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: '@wietze' +- Name: Chris Spehn + Twitter: "@ConsciousHacker" From 281af9510fc9b7aea4ac7ccf2eb68ef4a520d2a3 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:57:51 -0600 Subject: [PATCH 152/156] Added vdsutil.yml --- yml/microsoft/built-in/vdsutil.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/vdsutil.yml diff --git a/yml/microsoft/built-in/vdsutil.yml b/yml/microsoft/built-in/vdsutil.yml new file mode 100644 index 00000000..920cf156 --- /dev/null +++ b/yml/microsoft/built-in/vdsutil.yml @@ -0,0 +1,17 @@ +--- +Name: vdsutil.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\vdsldr.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From bf85e199adf4500ca1505412bb8a7cd290553924 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 08:58:59 -0600 Subject: [PATCH 153/156] Updated webservices.yml --- yml/microsoft/built-in/webservices.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/yml/microsoft/built-in/webservices.yml b/yml/microsoft/built-in/webservices.yml index 8265f742..344d31c4 100644 --- a/yml/microsoft/built-in/webservices.yml +++ b/yml/microsoft/built-in/webservices.yml @@ -11,12 +11,20 @@ VulnerableExecutables: Type: Sideloading - Path: '%SYSTEM32%\sppsvc.exe' Type: Sideloading + - Path: '%SYSTEM32%\vsgraphicsdesktopengine.exe' + Type: Sideloading + - Path: '%SYSTEM32%\vsgraphicsremoteengine.exe' + Type: Sideloading - Path: '%SYSTEM32%\wifitask.exe' Type: Sideloading - Path: '%SYSTEM32%\wksprt.exe' Type: Sideloading Resources: - https://wietze.github.io/blog/hijacking-dlls-in-windows + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH Acknowledgements: - Name: Wietze Twitter: "@wietze" + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 4dfe21e8feec8ef8192325e4c2fdd2a09b0a547b Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 09:00:37 -0600 Subject: [PATCH 154/156] Added wsmsvc.yml --- yml/microsoft/built-in/wsmsvc.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 yml/microsoft/built-in/wsmsvc.yml diff --git a/yml/microsoft/built-in/wsmsvc.yml b/yml/microsoft/built-in/wsmsvc.yml new file mode 100644 index 00000000..64d3ed1f --- /dev/null +++ b/yml/microsoft/built-in/wsmsvc.yml @@ -0,0 +1,21 @@ +--- +Name: wsmsvc.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\winrs.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wsmanhttpconfig.exe' + Type: Sideloading + - Path: '%SYSTEM32%\wsmprovhost.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From f7ae4e31ad1304a8df09d6b25602a63d12b89bc9 Mon Sep 17 00:00:00 2001 From: Chris Spehn Date: Wed, 17 Aug 2022 09:02:42 -0600 Subject: [PATCH 155/156] Added wscapi.yml --- yml/microsoft/built-in/wscapi.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 yml/microsoft/built-in/wscapi.yml diff --git a/yml/microsoft/built-in/wscapi.yml b/yml/microsoft/built-in/wscapi.yml new file mode 100644 index 00000000..683e0781 --- /dev/null +++ b/yml/microsoft/built-in/wscapi.yml @@ -0,0 +1,17 @@ +--- +Name: wscapi.dll +Author: Chris Spehn +Created: 2021-08-17 +Vendor: Microsoft +ExpectedLocations: + - "%SYSTEM32%" + - "%SYSWOW64%" +VulnerableExecutables: + - Path: '%SYSTEM32%\wscadminui.exe' + Type: Sideloading +Resources: + - https://securityintelligence.com/posts/windows-features-dll-sideloading/ + - https://github.com/xforcered/WFH +Acknowledgements: + - Name: Chris Spehn + Twitter: "@ConsciousHacker" From 2145c09b846097deb539fbbf76d6c5aba7ec2ab6 Mon Sep 17 00:00:00 2001 From: Wietze Date: Mon, 22 Aug 2022 14:48:19 +0100 Subject: [PATCH 156/156] Adding missing line endings --- yml/microsoft/built-in/apphelp.yml | 2 +- yml/microsoft/built-in/cryptbase.yml | 2 +- yml/microsoft/built-in/mscoree.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/yml/microsoft/built-in/apphelp.yml b/yml/microsoft/built-in/apphelp.yml index 8e54fb9b..a88139af 100644 --- a/yml/microsoft/built-in/apphelp.yml +++ b/yml/microsoft/built-in/apphelp.yml @@ -22,4 +22,4 @@ Acknowledgements: - Name: Wietze Twitter: "@wietze" - Name: Chris Spehn - Twitter: "@ConsciousHacker" \ No newline at end of file + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/cryptbase.yml b/yml/microsoft/built-in/cryptbase.yml index 534c332d..bb416e44 100644 --- a/yml/microsoft/built-in/cryptbase.yml +++ b/yml/microsoft/built-in/cryptbase.yml @@ -87,4 +87,4 @@ Acknowledgements: - Name: Wietze Twitter: "@wietze" - Name: Chris Spehn - Twitter: "@ConsciousHacker" \ No newline at end of file + Twitter: "@ConsciousHacker" diff --git a/yml/microsoft/built-in/mscoree.yml b/yml/microsoft/built-in/mscoree.yml index 594075c1..a1ff7a4b 100644 --- a/yml/microsoft/built-in/mscoree.yml +++ b/yml/microsoft/built-in/mscoree.yml @@ -19,4 +19,4 @@ Acknowledgements: - Name: Wietze Twitter: "@wietze" - Name: Chris Spehn - Twitter: "@ConsciousHacker" \ No newline at end of file + Twitter: "@ConsciousHacker"