Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add System32 entries from WFH_Dridex #6

Merged
merged 156 commits into from
Aug 22, 2022
Merged

Add System32 entries from WFH_Dridex #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
156 commits
Select commit Hold shift + click to select a range
df9ac4b
Added sdbinst.exe to apphelp.dll yaml
Aug 16, 2022
db657a8
Added sdbinst.exe to apphelp.dll yaml
Aug 16, 2022
e1eddaa
Added more exes to userenv.yml
Aug 16, 2022
23a900d
Added version.yml for builtin
Aug 16, 2022
c98cc57
Updated resources and acknowledgements
Aug 16, 2022
508e77b
Updated mscoree.yml
Aug 16, 2022
52c4865
Updated cryptbase.yml
Aug 16, 2022
956532d
Updated mswsock.yml
Aug 16, 2022
28be631
Updated srpapi.yml
Aug 16, 2022
9b55663
Updated dxgi.yml
Aug 16, 2022
a773968
Updated activeds.yml
Aug 16, 2022
3dda504
Updated wtsapi32.yml
Aug 16, 2022
aa16a67
Updated secur32.yml
Aug 16, 2022
e51201d
Updated wininet.yml
Aug 16, 2022
61a9f6d
Updated mmdevapi.yml
Aug 16, 2022
9f44c30
Updated winbrand.yml
Aug 16, 2022
a2e91e0
Updated uxtheme.yml
Aug 16, 2022
3d740e4
Updated duser.yml
Aug 16, 2022
2641189
Updated dui70.yml
Aug 16, 2022
bb0d178
Updated dsreg.yml
Aug 16, 2022
4315837
Updated sspicli.yml
Aug 16, 2022
fb2aac5
Updated mpr.yml
Aug 16, 2022
fe30bf3
Updated winsqlite3.yml
Aug 16, 2022
6e3310d
Updated iertutil.yml
Aug 16, 2022
2b13dfd
Updated ntmarta.yml
Aug 16, 2022
45efae1
Updated certenroll.yml
Aug 16, 2022
b4fae7c
Updated ncrypt.yml
Aug 16, 2022
3620c4c
Updated regapi.yml
Aug 16, 2022
1952ce4
Updated wevtapi.yml
Aug 16, 2022
5819aa8
Updated bcd.yml
Aug 16, 2022
a37682f
Updated vssapi.yml
Aug 16, 2022
e8b1d57
Updated wdi.yml
Aug 16, 2022
d7a5900
Updated scecli.yml
Aug 16, 2022
c1fb69c
Added msvcp110_win.yml
Aug 16, 2022
ee332f1
Added appvpolicy.yml
Aug 16, 2022
d9cff40
Updated appvpolicy.yml
Aug 16, 2022
2fae776
Added netapi32.yml
Aug 16, 2022
b364f54
Added cryptsp.yml
Aug 16, 2022
d290a0d
Added iumsdk.yml
Aug 16, 2022
3597821
Added fveskybackup.yml
Aug 16, 2022
0e28700
Added fvewiz.yml
Aug 16, 2022
1cb840c
Added bootux.yml
Aug 16, 2022
94544f9
Added msiso.yml
Aug 16, 2022
bf7cd5b
Added urlmon.yml
Aug 16, 2022
e977e22
Added certcli.yml
Aug 16, 2022
063c0e8
Added profapi.yml
Aug 16, 2022
286887a
Added cmutil.yml
Aug 16, 2022
0389faa
Added ifsutil.yml
Aug 16, 2022
9d9d7dd
Updated osuninst.yml
Aug 16, 2022
49a1bff
Updated samcli.yml
Aug 16, 2022
d59e7b9
Updated netutils.yml
Aug 16, 2022
04761d0
Updated msctfmonitor.yml
Aug 16, 2022
5692ee7
Updated dsrole.yml
Aug 16, 2022
41f32ad
Updated logoncli.yml
Aug 16, 2022
a7103be
Updated propsys.yml
Aug 16, 2022
efb80eb
Updated twinapi.yml
Aug 16, 2022
3371179
Updated dcomp.yml
Aug 16, 2022
e6e6592
Updated dnsapi.yml
Aug 16, 2022
1dc79d9
Updated iphlpapi.yml
Aug 16, 2022
edb523c
Updated dsparse.yml
Aug 16, 2022
1fd82a9
Updated srvcli.yml
Aug 16, 2022
a226a95
Updated ntdsapi.yml
Aug 16, 2022
fac4e50
Updated sxshared.yml
Aug 16, 2022
5a00a16
Added umpdc.yml
Aug 16, 2022
7caaaec
Added mfc42u.yml
Aug 16, 2022
c0cf906
Updated resutils.yml
Aug 16, 2022
24c74d7
Added framedynos.yml
Aug 16, 2022
decc04c
Updated fltlib.yml
Aug 16, 2022
670936b
Updated esent.yml
Aug 16, 2022
347e485
Updated clusapi.yml
Aug 16, 2022
d40c5f5
Updated dismapi.yml
Aug 16, 2022
b2dd331
Added srmtrace.dll
Aug 16, 2022
7f6de9e
Added netprovfw.dll
Aug 16, 2022
26fc0d3
Added windows.ui.immersive.dll
Aug 16, 2022
8307981
Updated samlib.yml
Aug 16, 2022
e0ddd59
Updated atl.yml
Aug 16, 2022
2ba95d2
Added dsprop.yml
Aug 16, 2022
a1318ac
Added dsprop.yml
Aug 16, 2022
29fc211
Added coreuicomponents.yml
Aug 16, 2022
3fed888
Updated xmllite.yml
Aug 16, 2022
36f0b02
Updated d3d11.yml
Aug 16, 2022
52892b8
Updated dbghelp.yml
Aug 16, 2022
91c90aa
Updated d2d1.yml
Aug 16, 2022
5b40843
Added powrprof.yml
Aug 16, 2022
a54db95
Added credui.yml
Aug 16, 2022
0ff90c2
Added gpapi.yml
Aug 16, 2022
8071554
Added configmanager2.yml
Aug 16, 2022
3b8ee12
Updated configmanager2.yml
Aug 16, 2022
cd2a081
Updated cabinet.yml
Aug 16, 2022
0c55dbb
Added winscard.yml
Aug 17, 2022
7215b15
Updated newdev.yml
Aug 17, 2022
f8e8ddf
Added drvstore.yml
Aug 17, 2022
f1dd9b8
Updated ktmw32.yml
Aug 17, 2022
6ebc809
Updated dhcpcsvc.yml
Aug 17, 2022
93e221d
Updated dhcpcsvc6.yml
Aug 17, 2022
5b5cf5f
Updated wlanapi.yml
Aug 17, 2022
d514b6a
Added lrwizdll.yml
Aug 17, 2022
ff2d0e6
Added lockhostingframework.yml
Aug 17, 2022
58f2529
Added mbaexmlparser.yml
Aug 17, 2022
02e448b
Updated mobilenetworking.yml
Aug 17, 2022
adfaa31
Added batmeter.yml
Aug 17, 2022
5f1531a
Updated dwmapi.yml
Aug 17, 2022
1d922a0
Updated winmm.yml
Aug 17, 2022
409a889
Updated omadmapi.yml
Aug 17, 2022
9645644
Updated dmenrollengine.yml
Aug 17, 2022
f9805e8
Added edgeiso.yml
Aug 17, 2022
3f7b3ce
Updated dmiso8601utils.yml
Aug 17, 2022
6975d43
Updated updatepolicy.yml
Aug 17, 2022
8f932f0
Updated wkscli.yml
Aug 17, 2022
a7afef4
Updated dmcmnutils.yml
Aug 17, 2022
d026571
Added netjoin.yml
Aug 17, 2022
a1674ba
Updated cryptdll.yml
Aug 17, 2022
34bb29b
Added icmp.yml
Aug 17, 2022
39b8dd2
Added coredplus.yml
Aug 17, 2022
4200452
Updated dmpushproxy.yml
Aug 17, 2022
bdfbc22
Updated pcaui.yml
Aug 17, 2022
bd04d69
Updated slc.yml
Aug 17, 2022
fb4922c
Added sppcext.yml
Aug 17, 2022
eee71e6
Updated devobj.yml
Aug 17, 2022
5d05f27
Added prntvpt.yml
Aug 17, 2022
aeba40c
Added xpsservices.yml
Aug 17, 2022
cda2987
Added dmcommandlineutils.yml
Aug 17, 2022
978b60d
Added proximitycommon.yml
Aug 17, 2022
ed1607c
Added proximityservicepal.yml
Aug 17, 2022
bc4c86f
Updated deviceassociation.yml
Aug 17, 2022
446f8d3
Added opcservices.yml
Aug 17, 2022
a320f71
Updated winsta.yml
Aug 17, 2022
8d11aa5
Updated utildll.yml
Aug 17, 2022
e63d456
Added rasdlg.yml
Aug 17, 2022
b3b2818
Updated rtutils.yml
Aug 17, 2022
7452757
Added unattend.yml
Aug 17, 2022
1e1f4fa
Updated wimgapi.yml
Aug 17, 2022
d07d8c1
Updated reagent.yml
Aug 17, 2022
1e4255e
Updated wdscore.yml
Aug 17, 2022
5fb6550
Updated wofutil.yml
Aug 17, 2022
50dc909
Updated winhttp.yml
Aug 17, 2022
0bac868
Updated rmclient.yml
Aug 17, 2022
e6df0ed
Updated tquery.yml
Aug 17, 2022
2f4abb9
Added winbio.yml
Aug 17, 2022
f33de79
Added playsndsrv.yml
Aug 17, 2022
9c63d23
Updated oleacc.yml
Aug 17, 2022
042a16d
Updated tbs.yml
Aug 17, 2022
fd7576a
Added aclui.yml
Aug 17, 2022
0ebe926
Updated coremessaging.yml
Aug 17, 2022
ced3665
Updated msdrm.yml
Aug 17, 2022
87c8f4f
Added pkeyhelper.yml
Aug 17, 2022
72f8df8
Added winsync.yml
Aug 17, 2022
37a6030
Added dxcore.yml
Aug 17, 2022
662f99f
Added security.yml
Aug 17, 2022
509494c
Added tpmcoreprovisioning.yml
Aug 17, 2022
2e4d32b
Updated pdh.yml
Aug 17, 2022
281af95
Added vdsutil.yml
Aug 17, 2022
bf85e19
Updated webservices.yml
Aug 17, 2022
4dfe21e
Added wsmsvc.yml
Aug 17, 2022
f7ae4e3
Added wscapi.yml
Aug 17, 2022
2145c09
Adding missing line endings
wietze Aug 22, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions yml/microsoft/built-in/aclui.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
Name: aclui.dll
Author: Chris Spehn
Created: 2021-08-17
Vendor: Microsoft
ExpectedLocations:
- "%SYSTEM32%"
- "%SYSWOW64%"
VulnerableExecutables:
- Path: '%SYSTEM32%\shrpubw.exe'
Type: Sideloading
Resources:
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
16 changes: 16 additions & 0 deletions yml/microsoft/built-in/activeds.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,26 @@ ExpectedLocations:
- "%SYSTEM32%"
- "%SYSWOW64%"
VulnerableExecutables:
- Path: '%SYSTEM32%\applysettingstemplatecatalog.exe'
Type: Sideloading
- Path: '%SYSTEM32%\agentservice.exe'
Type: Sideloading
- Path: '%SYSTEM32%\dsadd.exe'
Type: Sideloading
- Path: '%SYSTEM32%\dsget.exe'
Type: Sideloading
- Path: '%SYSTEM32%\dsmod.exe'
Type: Sideloading
- Path: '%SYSTEM32%\dsrm.exe'
Type: Sideloading
- Path: '%SYSTEM32%\gpfixup.exe'
Type: Sideloading
Resources:
- https://wietze.github.io/blog/hijacking-dlls-in-windows
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Wietze
Twitter: "@wietze"
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
6 changes: 6 additions & 0 deletions yml/microsoft/built-in/apphelp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,17 @@ ExpectedLocations:
VulnerableExecutables:
- Path: '%SYSTEM32%\compmgmtlauncher.exe'
Type: Sideloading
- Path: '%SYSTEM32%\sdbinst.exe'
Type: Sideloading
- Path: '%WINDIR%\explorer.exe'
Type: Search Order
Resources:
- https://wietze.github.io/blog/hijacking-dlls-in-windows
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Wietze
Twitter: "@wietze"
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
16 changes: 16 additions & 0 deletions yml/microsoft/built-in/appvpolicy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
Name: appvpolicy.dll
Author: Chris Spehn
Created: 2021-08-16
Vendor: Microsoft
ExpectedLocations:
- "%SYSTEM32%"
VulnerableExecutables:
- Path: '%SYSTEM32%\appvclient.exe'
Type: Sideloading
Resources:
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
10 changes: 10 additions & 0 deletions yml/microsoft/built-in/atl.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ ExpectedLocations:
- "%SYSTEM32%"
- "%SYSWOW64%"
VulnerableExecutables:
- Path: '%SYSTEM32%\dsquery.exe'
Type: Sideloading
- Path: '%SYSTEM32%\filescrn.exe'
Type: Sideloading
- Path: '%SYSTEM32%\msconfig.exe'
Type: Sideloading
AutoElevate: true
Expand All @@ -20,6 +24,8 @@ VulnerableExecutables:
AutoElevate: true
- Path: '%SYSTEM32%\quickassist.exe'
Type: Sideloading
- Path: '%SYSTEM32%\storrept.exe'
Type: Sideloading
- Path: '%SYSTEM32%\vds.exe'
Type: Sideloading
- Path: '%SYSTEM32%\vdsldr.exe'
Expand All @@ -30,6 +36,10 @@ VulnerableExecutables:
Type: Sideloading
Resources:
- https://wietze.github.io/blog/hijacking-dlls-in-windows
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Wietze
Twitter: "@wietze"
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
17 changes: 17 additions & 0 deletions yml/microsoft/built-in/batmeter.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
Name: batmeter.dll
Author: Chris Spehn
Created: 2021-08-17
Vendor: Microsoft
ExpectedLocations:
- "%SYSTEM32%"
- "%SYSWOW64%"
VulnerableExecutables:
- Path: '%SYSTEM32%\mblctr.exe'
Type: Sideloading
Resources:
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
8 changes: 8 additions & 0 deletions yml/microsoft/built-in/bcd.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ ExpectedLocations:
VulnerableExecutables:
- Path: '%SYSTEM32%\bootim.exe'
Type: Sideloading
- Path: '%SYSTEM32%\cidiag.exe'
Type: Sideloading
- Path: '%SYSTEM32%\genvalobj.exe'
Type: Sideloading
- Path: '%SYSTEM32%\mdsched.exe'
Expand All @@ -20,6 +22,8 @@ VulnerableExecutables:
- Path: '%SYSTEM32%\recdisc.exe'
Type: Sideloading
AutoElevate: true
- Path: '%SYSTEM32%\recoverydrive.exe'
Type: Sideloading
- Path: '%SYSTEM32%\resetengine.exe'
Type: Sideloading
- Path: '%SYSTEM32%\rstrui.exe'
Expand Down Expand Up @@ -61,6 +65,10 @@ VulnerableExecutables:
Type: Sideloading
Resources:
- https://wietze.github.io/blog/hijacking-dlls-in-windows
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Wietze
Twitter: "@wietze"
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
16 changes: 16 additions & 0 deletions yml/microsoft/built-in/bootux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
Name: bootux.dll
Author: Chris Spehn
Created: 2021-08-16
Vendor: Microsoft
ExpectedLocations:
- "%SYSTEM32%"
VulnerableExecutables:
- Path: '%SYSTEM32%\bootim.exe'
Type: Sideloading
Resources:
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
10 changes: 10 additions & 0 deletions yml/microsoft/built-in/cabinet.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ VulnerableExecutables:
Type: Sideloading
- Path: '%SYSTEM32%\extrac32.exe'
Type: Sideloading
- Path: '%SYSTEM32%\iesettingsync.exe'
Type: Sideloading
- Path: '%SYSTEM32%\licensingdiag.exe'
Type: Sideloading
- Path: '%SYSTEM32%\makecab.exe'
Expand All @@ -32,6 +34,8 @@ VulnerableExecutables:
Type: Sideloading
- Path: '%SYSTEM32%\plasrv.exe'
Type: Sideloading
- Path: '%SYSTEM32%\pnputil.exe'
Type: Sideloading
- Path: '%SYSTEM32%\reagentc.exe'
Type: Sideloading
- Path: '%SYSTEM32%\recdisc.exe'
Expand All @@ -44,6 +48,8 @@ VulnerableExecutables:
- Path: '%SYSTEM32%\sdclt.exe'
Type: Sideloading
AutoElevate: true
- Path: '%SYSTEM32%\sihclient.exe'
Type: Sideloading
- Path: '%SYSTEM32%\systemreset.exe'
Type: Sideloading
AutoElevate: true
Expand All @@ -61,6 +67,10 @@ VulnerableExecutables:
Resources:
- https://wietze.github.io/blog/hijacking-dlls-in-windows
- https://wietze.github.io/blog/save-the-environment-variables
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Wietze
Twitter: '@wietze'
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
21 changes: 21 additions & 0 deletions yml/microsoft/built-in/certcli.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
---
Name: certcli.dll
Author: Chris Spehn
Created: 2021-08-16
Vendor: Microsoft
ExpectedLocations:
- "%SYSTEM32%"
- "%SYSWOW64%"
VulnerableExecutables:
- Path: '%SYSTEM32%\certreq.exe'
Type: Sideloading
- Path: '%SYSTEM32%\certutil.exe'
Type: Sideloading
- Path: '%SYSTEM32%\repadmin.exe'
Type: Sideloading
Resources:
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
6 changes: 6 additions & 0 deletions yml/microsoft/built-in/certenroll.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,10 +7,16 @@ ExpectedLocations:
- "%SYSTEM32%"
- "%SYSWOW64%"
VulnerableExecutables:
- Path: '%SYSTEM32%\certenrollctrl.exe'
Type: Sideloading
- Path: '%SYSTEM32%\dmcertinst.exe'
Type: Sideloading
Resources:
- https://wietze.github.io/blog/hijacking-dlls-in-windows
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Wietze
Twitter: "@wietze"
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
6 changes: 6 additions & 0 deletions yml/microsoft/built-in/clusapi.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ ExpectedLocations:
- "%SYSTEM32%"
- "%SYSWOW64%"
VulnerableExecutables:
- Path: '%SYSTEM32%\dfsrdiag.exe'
Type: Sideloading
- Path: '%SYSTEM32%\msdtc.exe'
Type: Sideloading
- Path: '%SYSTEM32%\tieringengineservice.exe'
Expand All @@ -15,6 +17,10 @@ VulnerableExecutables:
Type: Sideloading
Resources:
- https://wietze.github.io/blog/hijacking-dlls-in-windows
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Wietze
Twitter: "@wietze"
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
17 changes: 17 additions & 0 deletions yml/microsoft/built-in/cmutil.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
Name: cmutil.dll
Author: Chris Spehn
Created: 2021-08-16
Vendor: Microsoft
ExpectedLocations:
- "%SYSTEM32%"
- "%SYSWOW64%"
VulnerableExecutables:
- Path: '%SYSTEM32%\cmstp.exe'
Type: Sideloading
Resources:
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
16 changes: 16 additions & 0 deletions yml/microsoft/built-in/configmanager2.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
Name: configmanager2.dll
Author: Chris Spehn
Created: 2021-08-16
Vendor: Microsoft
ExpectedLocations:
- "%SYSTEM32%"
VulnerableExecutables:
- Path: '%SYSTEM32%\hvsievaluator.exe'
Type: Sideloading
Resources:
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
16 changes: 16 additions & 0 deletions yml/microsoft/built-in/coredplus.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
Name: coredplus.dll
Author: Chris Spehn
Created: 2021-08-17
Vendor: Microsoft
ExpectedLocations:
- "%SYSTEM32%"
VulnerableExecutables:
- Path: '%SYSTEM32%\omadmclient.exe'
Type: Sideloading
Resources:
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
6 changes: 6 additions & 0 deletions yml/microsoft/built-in/coremessaging.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,14 @@ ExpectedLocations:
VulnerableExecutables:
- Path: '%SYSTEM32%\dwm.exe'
Type: Sideloading
- Path: '%SYSTEM32%\sihost.exe'
Type: Sideloading
Resources:
- https://wietze.github.io/blog/hijacking-dlls-in-windows
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Wietze
Twitter: "@wietze"
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
17 changes: 17 additions & 0 deletions yml/microsoft/built-in/coreuicomponents.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
Name: coreuicomponents.dll
Author: Chris Spehn
Created: 2021-08-16
Vendor: Microsoft
ExpectedLocations:
- "%SYSTEM32%"
- "%SYSWOW64%"
VulnerableExecutables:
- Path: '%SYSTEM32%\dwm.exe'
Type: Sideloading
Resources:
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
14 changes: 14 additions & 0 deletions yml/microsoft/built-in/credui.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,25 @@ VulnerableExecutables:
Type: Sideloading
- Path: '%SYSTEM32%\fxssvc.exe'
Type: Sideloading
- Path: '%SYSTEM32%\gpfixup.exe'
Type: Sideloading
- Path: '%SYSTEM32%\licmgr.exe'
Type: Sideloading
- Path: '%SYSTEM32%\mstsc.exe'
Type: Sideloading
- Path: '%SYSTEM32%\netdom.exe'
Type: Sideloading
- Path: '%SYSTEM32%\nlbmgr.exe'
Type: Sideloading
- Path: '%SYSTEM32%\perfmon.exe'
Type: Sideloading
AutoElevate: true
- Path: '%SYSTEM32%\rekeywiz.exe'
Type: Sideloading
- Path: '%SYSTEM32%\rpcping.exe'
Type: Sideloading
- Path: '%SYSTEM32%\runas.exe'
Type: Sideloading
- Path: '%SYSTEM32%\systempropertiesadvanced.exe'
Type: Sideloading
AutoElevate: true
Expand All @@ -38,6 +48,10 @@ VulnerableExecutables:
Resources:
- https://wietze.github.io/blog/hijacking-dlls-in-windows
- https://wietze.github.io/blog/save-the-environment-variables
- https://securityintelligence.com/posts/windows-features-dll-sideloading/
- https://github.com/xforcered/WFH
Acknowledgements:
- Name: Wietze
Twitter: '@wietze'
- Name: Chris Spehn
Twitter: "@ConsciousHacker"
Loading