---
Name: Update.exe
Description: Binary to update the existing installed Nuget/squirrel package. Part of Whatsapp installation.
Author: 'Jesus Galvez'
Created: '2020-11-01'
  - Command: Update.exe --processStart payload.exe --process-start-args "whatever args"
    Description: Copy your payload into "%localappdata%\Whatsapp\app-[version]\". Then run the command. Update.exe will execute the file you copied.
    Usecase: Execute binary
    Category: Execute
    Privileges: User
    MitreID: T1218
    MitreLink: https://attack.mitre.org/techniques/T1218/
    OperatingSystem: Windows 7 and up with Whatsapp installed
Full_Path:
  - Path: '%localappdata%\Whatsapp\Update.exe'
Detection: 
  - IOC: "%localappdata%\Whatsapp\Update.exe" spawned an unknown process
---