{"id":6482,"date":"2019-06-29T23:32:05","date_gmt":"2019-06-29T23:32:05","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=6482"},"modified":"2019-06-30T00:50:42","modified_gmt":"2019-06-30T00:50:42","slug":"sign-your-name-across-my-heart-vendor-use-one-name-only","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2019\/06\/29\/sign-your-name-across-my-heart-vendor-use-one-name-only\/","title":{"rendered":"Sign your name across my heart; vendor… use one name only…"},"content":{"rendered":"\n

I have been looking at a data stored by vendors inside the VERSIONINFO structure for quite some<\/a> time now. The TODO bit is one issue I described previously, but there are more.<\/p>\n\n\n\n

One of the most annoying things is a crazy number of names that vendors use in a CompanyName<\/em> field. This is of course kinda understandable – large companies have many departments and coding teams scattered across the whole world. It certainly looks like an impossible task to ensure all of them go through a single, bureaucratic office that will double-check if all of them use the very same vendor name. And perhaps there are other reasons too – I don’t know laws of all the countries of course, there could be a genuine need in some places to always use an official name of the company in that field(?). I really dunno.<\/p>\n\n\n\n

In any case… From a threat hunting perspective, it complicates our life. For example, when you want to whitelist some of these vendor names you will always end up with a never-ending whack-a-mole game. In my experience, for every entry I add per vendor, there are another 1-5 out there that are very similar, and which I will add some time in the future. I don’t think there is any good solution for this today. <\/p>\n\n\n\n

To demonstrate the issue, let’s have a look at common vendor names one can encounter…:<\/p>\n\n\n\n

HP:<\/p>\n\n\n\n