From d26c01fa45cb6285ced95aae83050f53ced03c54 Mon Sep 17 00:00:00 2001 From: Oddvar Moe Date: Thu, 27 Jun 2019 13:49:52 +0200 Subject: [PATCH] Reverted back --- yml/OtherMSBinaries/Update.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yml/OtherMSBinaries/Update.yml b/yml/OtherMSBinaries/Update.yml index e5ba2ff..91c46cc 100644 --- a/yml/OtherMSBinaries/Update.yml +++ b/yml/OtherMSBinaries/Update.yml @@ -5,7 +5,7 @@ Author: 'Mr.Un1k0d3r' Created: '2019-06-26' Commands: - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" - Description: Copy your payload into userprofile\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. + Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Application Whitelisting Bypass Category: AWL Bypass Privileges: User @@ -13,7 +13,7 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed - Command: Update.exe --processStart payload.exe --process-start-args "whatever args" - Description: Copy your payload into userprofile\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. + Description: Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. Usecase: Execute binary Category: Execute Privileges: User @@ -21,7 +21,7 @@ Commands: MitreLink: https://attack.mitre.org/wiki/Technique/T1218 OperatingSystem: Windows 7 and up with Microsoft Teams installed Full_Path: - - Path: userprofile\AppData\Local\Microsoft\Teams\Update.exe + - Path: '%userprofile%\AppData\Local\Microsoft\Teams\Update.exe' Detection: - IOC: Update.exe spawned an unknown process Resources: