LOLBAS/yml/OtherMSBinaries/Update.yml

---
Name: Update.exe
Description: Update is the squirrel update utility used by Microsoft Electron app (Teams in this case)
Author: 'Mr.Un1k0d3r'
Created: '2019-06-26'
Commands:
  - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
    Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
    Usecase: Application Whitelisting Bypass
    Category: AWL Bypass
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
  - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
    Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
    Usecase: Execute binary
    Category: Execute
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
Full_Path:
  - Path: '%userprofile%\AppData\Local\Microsoft\Teams\Update.exe'
Detection: 
  - IOC: Update.exe spawned an unknown process
Resources:
  - Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408
Acknowledgement:
  - Person: Mr.Un1k0d3r
    Handle: '@MrUn1k0d3r'
---
Create Teams-update.yml 2019-06-26 20:12:02 +02:00			`---`
			`Name: Update.exe`
			`Description: Update is the squirrel update utility used by Microsoft Electron app (Teams in this case)`
Adjusted new contributions 2019-06-27 13:40:03 +02:00			`Author: 'Mr.Un1k0d3r'`
			`Created: '2019-06-26'`
Create Teams-update.yml 2019-06-26 20:12:02 +02:00			`Commands:`
Adjusted new contributions 2019-06-27 13:40:03 +02:00			`- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"`
Reverted back 2019-06-27 13:49:52 +02:00			`Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.`
Create Teams-update.yml 2019-06-26 20:12:02 +02:00			`Usecase: Application Whitelisting Bypass`
			`Category: AWL Bypass`
Adjusted new contributions 2019-06-27 13:40:03 +02:00			`Privileges: User`
			`MitreID: T1218`
			`MitreLink: https://attack.mitre.org/wiki/Technique/T1218`
			`OperatingSystem: Windows 7 and up with Microsoft Teams installed`
			`- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"`
Reverted back 2019-06-27 13:49:52 +02:00			`Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.`
Adjusted new contributions 2019-06-27 13:40:03 +02:00			`Usecase: Execute binary`
			`Category: Execute`
			`Privileges: User`
			`MitreID: T1218`
			`MitreLink: https://attack.mitre.org/wiki/Technique/T1218`
Create Teams-update.yml 2019-06-26 20:12:02 +02:00			`OperatingSystem: Windows 7 and up with Microsoft Teams installed`
			`Full_Path:`
Reverted back 2019-06-27 13:49:52 +02:00			`- Path: '%userprofile%\AppData\Local\Microsoft\Teams\Update.exe'`
Create Teams-update.yml 2019-06-26 20:12:02 +02:00			`Detection:`
Adjusted new contributions 2019-06-27 13:40:03 +02:00			`- IOC: Update.exe spawned an unknown process`
Create Teams-update.yml 2019-06-26 20:12:02 +02:00			`Resources:`
Adjusted new contributions 2019-06-27 13:40:03 +02:00			`- Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408`
			`Acknowledgement:`
Create Teams-update.yml 2019-06-26 20:12:02 +02:00			`- Person: Mr.Un1k0d3r`
Adjusted new contributions 2019-06-27 13:40:03 +02:00			`Handle: '@MrUn1k0d3r'`
Create Teams-update.yml 2019-06-26 20:12:02 +02:00			`---`