Reverted back

This commit is contained in:
Oddvar Moe 2019-06-27 13:49:52 +02:00
parent 6338ac77a0
commit d26c01fa45

View File

@ -5,7 +5,7 @@ Author: 'Mr.Un1k0d3r'
Created: '2019-06-26'
Commands:
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
Description: Copy your payload into userprofile\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Usecase: Application Whitelisting Bypass
Category: AWL Bypass
Privileges: User
@ -13,7 +13,7 @@ Commands:
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
- Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
Description: Copy your payload into userprofile\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Usecase: Execute binary
Category: Execute
Privileges: User
@ -21,7 +21,7 @@ Commands:
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 7 and up with Microsoft Teams installed
Full_Path:
- Path: userprofile\AppData\Local\Microsoft\Teams\Update.exe
- Path: '%userprofile%\AppData\Local\Microsoft\Teams\Update.exe'
Detection:
- IOC: Update.exe spawned an unknown process
Resources: