.. /Teams.exe
Star

Execute

Electron runtime binary which runs the Teams application

Paths:

%LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe

Resources:

https://l--k.uk/2022/01/16/microsoft-teams-and-other-electron-apps-as-lolbins/

Acknowledgements:

Andrew Kisliakov
mr.d0x (@mrd0x)

Detection:

IOC: %LOCALAPPDATA%\Microsoft\Teams\current\app directory created
IOC: %LOCALAPPDATA%\Microsoft\Teams\current\app.asar file created/modified by non-Teams installer/updater
Sigma: https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml

Execute

Generate JavaScript payload and package.json, and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app\\" before executing.

teams.exe

Usecase: Execute JavaScript code
Privileges required: User
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1218

Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing.

teams.exe

Usecase: Execute JavaScript code
Privileges required: User
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1218

Teams spawns cmd.exe as a child process of teams.exe and executes the ping command

teams.exe --disable-gpu-sandbox --gpu-launcher="C:\Windows\system32\cmd.exe /c ping google.com &&"

Usecase: Executes a process under a trusted Microsoft signed binary
Privileges required: User
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1218

.. /Teams.exe Star

Execute

.. /Teams.exe
Star