From 9642f81be7aa37b069cdefbeb8b17c341de71fd2 Mon Sep 17 00:00:00 2001
From: jesgal <59289295+jesgal@users.noreply.github.com>
Date: Thu, 29 Oct 2020 09:12:28 +0100
Subject: [PATCH] Update Update.yml

I update this LolBin to create persistence of payload.exe in the directory "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" by running payload.exe with the argument "--createShortcut" and "--removeShortcut".
---
 yml/OtherMSBinaries/Update.yml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml
index 5195cf0..b22d000 100644
--- a/yml/OtherMSBinaries/Update.yml
+++ b/yml/OtherMSBinaries/Update.yml
@@ -92,6 +92,22 @@ Commands:
     MitreID: T1218
     MitreLink: https://attack.mitre.org/wiki/Technique/T1218
     OperatingSystem: Windows 7 and up with Microsoft Teams installed
+  - Command: Update.exe --createShortcut=payload.exe -l=Startup
+    Description: Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
+    Usecase: Execute binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1547
+    MitreLink: https://attack.mitre.org/techniques/T1547/001/
+    OperatingSystem: Windows 7 and up with Microsoft Teams installed
+  - Command: Update.exe --removeShortcut=payload.exe -l=Startup
+    Description: Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page.
+    Usecase: Execute binary
+    Category: Execute
+    Privileges: User
+    MitreID: T1070
+    MitreLink: https://attack.mitre.org/techniques/T1070/
+    OperatingSystem: Windows 7 and up with Microsoft Teams installed
 Full_Path:
   - Path: '%localappdata%\Microsoft\Teams\update.exe'
 Code_Sample: 
@@ -114,4 +130,5 @@ Acknowledgement:
     Handle: '@MrUn1k0d3r'
   - Person: Adam
     Handle: '@Hexacorn'
+  - Person: Jesus Galvez
 ---