From 6338ac77a0770131e0d5dba82bd1b3e249e7a8e2 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Thu, 27 Jun 2019 13:46:40 +0200 Subject: [PATCH] Remove % from Update.yml --- yml/OtherMSBinaries/Update.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml index 91c46cc..e5ba2ff 100644 --- a/yml/OtherMSBinaries/Update.yml +++ b/yml/OtherMSBinaries/Update.yml @@ -5,7 +5,7 @@ Author: 'Mr.Un1k0d3r' Created: '2019-06-26' Commands: - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" - Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. + Description: Copy your payload into userprofile\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Application Whitelisting Bypass Category: AWL Bypass Privileges: User @@ -13,7 +13,7 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" - Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. + Description: Copy your payload into userprofile\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Execute binary Category: Execute Privileges: User @@ -21,7 +21,7 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Full_Path: - - Path: '%userprofile%\AppData\Local\Microsoft\Teams\Update.exe' + - Path: userprofile\AppData\Local\Microsoft\Teams\Update.exe Detection: - IOC: Update.exe spawned an unknown process Resources: