Modified hid.yml to reflect Phantom DLL Hijack via service (#55)

Co-authored-by: Wietze <wietze@users.noreply.github.com>
wietze · Jul 26, 2023 · b79492d · b79492d · v1stra · Jul 30, 2023
1 parent 74ee4bc
commit b79492d
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/yml/microsoft/built-in/hid.yml b/yml/microsoft/built-in/hid.yml
@@ -23,8 +23,17 @@ VulnerableExecutables:
   - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
     Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
     Type: Catalog
+- Path: '%SYSTEM32%\PerceptionSimulation\PerceptionSimulationService.exe'
+  Type: Phantom
+  ExpectedSignatureInformation:
+  - Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
+    Type: Catalog
 Resources:
 - https://wietze.github.io/blog/hijacking-dlls-in-windows
+- https://github.com/netero1010/ServiceMove-BOF
 Acknowledgements:
 - Name: Wietze
   Twitter: '@wietze'
+- Name: v1stra
+  Twitter: '@_v1stra'