mirror of
				https://github.com/LOLBAS-Project/LOLBAS
				synced 2025-10-25 23:05:58 +02:00 
			
		
		
		
	Microsoft Teams as a LOLbin
This commit is contained in:
		
							
								
								
									
										31
									
								
								yml/OtherMSBinaries/Teams.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										31
									
								
								yml/OtherMSBinaries/Teams.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,31 @@ | ||||
| --- | ||||
| Name: Teams.exe | ||||
| Description: Electron runtime binary which runs the Teams application | ||||
| Author: Andrew Kisliakov | ||||
| Created: 2022-01-17 | ||||
| Commands: | ||||
|   - Command: Teams.exe | ||||
|     Description: Generate JavaScript payload and package.json, and save to %LOCALAPPDATA%\Microsoft\Teams\current\app\ before executing. | ||||
|     Usecase: Execute JavaScript code | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     OperatingSystem: Windows 7 and up with Microsoft Teams installed | ||||
|   - Command: Teams.exe | ||||
|     Description: Generate JavaScript payload and package.json, archive in ASAR file and save to %LOCALAPPDATA%\Microsoft\Teams\current\app.asar before executing. | ||||
|     Usecase: Execute JavaScript code | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1218 | ||||
|     OperatingSystem: Windows 7 and up with Microsoft Teams installed | ||||
| Full_Path: | ||||
|   - Path: %LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe | ||||
| Code_Sample: | ||||
|   - Code: https://github.com/lltltk/LOLBAS-research/tree/master/Teams | ||||
| Detection: | ||||
|   - IOC: %LOCALAPPDATA%\Microsoft\Teams\current\app directory created | ||||
|   - IOC: %LOCALAPPDATA%\Microsoft\Teams\current\app.asar file created/modified by non-Teams installer/updater | ||||
| Resources: | ||||
|   - Link: https://l--k.uk/2022/01/16/microsoft-teams-and-other-electron-apps-as-lolbins/ | ||||
| Acknowledgement: | ||||
|   - Person: Andrew Kisliakov | ||||
		Reference in New Issue
	
	Block a user