diff --git a/yml/OtherMSBinaries/Teams.yml b/yml/OtherMSBinaries/Teams.yml index fffb4b1..8cfa543 100644 --- a/yml/OtherMSBinaries/Teams.yml +++ b/yml/OtherMSBinaries/Teams.yml @@ -11,6 +11,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: Javascript - Command: teams.exe Description: Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing. Usecase: Execute JavaScript code @@ -18,6 +20,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: Javascript - Command: teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&" Description: Teams spawns cmd.exe as a child process of teams.exe and executes the ping command Usecase: Executes a process under a trusted Microsoft signed binary @@ -25,6 +29,8 @@ Commands: Privileges: User MitreID: T1218.015 OperatingSystem: Windows 10, Windows 11 + Tags: + - Execute: CMD Full_Path: - Path: 'C:\Users\\AppData\Local\Microsoft\Teams\current\Teams.exe' Code_Sample: