From 020416d098506c395e7974cd65f0f5fa7e92f79f Mon Sep 17 00:00:00 2001
From: Oddvar Moe <oddvar.moe@gmail.com>
Date: Sat, 15 Aug 2020 00:26:35 +0200
Subject: [PATCH] Delete Update.yml

---
 yml/OtherMSBinaries/Update.yml | 32 --------------------------------
 1 file changed, 32 deletions(-)
 delete mode 100644 yml/OtherMSBinaries/Update.yml

diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml
deleted file mode 100644
index 91c46cc..0000000
--- a/yml/OtherMSBinaries/Update.yml
+++ /dev/null
@@ -1,32 +0,0 @@
----
-Name: Update.exe
-Description: Update is the squirrel update utility used by Microsoft Electron app (Teams in this case)
-Author: 'Mr.Un1k0d3r'
-Created: '2019-06-26'
-Commands:
-  - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
-    Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
-    Usecase: Application Whitelisting Bypass
-    Category: AWL Bypass
-    Privileges: User
-    MitreID: T1218
-    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
-    OperatingSystem: Windows 7 and up with Microsoft Teams installed
-  - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
-    Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
-    Usecase: Execute binary
-    Category: Execute
-    Privileges: User
-    MitreID: T1218
-    MitreLink: https://attack.mitre.org/wiki/Technique/T1218
-    OperatingSystem: Windows 7 and up with Microsoft Teams installed
-Full_Path:
-  - Path: '%userprofile%\AppData\Local\Microsoft\Teams\Update.exe'
-Detection: 
-  - IOC: Update.exe spawned an unknown process
-Resources:
-  - Link: https://twitter.com/MrUn1k0d3r/status/1143928885211537408
-Acknowledgement:
-  - Person: Mr.Un1k0d3r
-    Handle: '@MrUn1k0d3r'
----