Teams.exe
Electron runtime binary which runs the Teams application
Paths
C:\Users\<username>\AppData\Local\Microsoft\Teams\current\Teams.exe
Commands
Execute
Generate JavaScript payload and package.json, and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app\\" before executing.
Use case: Execute JavaScript code
Privileges: User
teams.exeExecute
Generate JavaScript payload and package.json, archive in ASAR file and save to "%LOCALAPPDATA%\\Microsoft\\Teams\\current\\app.asar" before executing.
Use case: Execute JavaScript code
Privileges: User
teams.exeExecute
Teams spawns cmd.exe as a child process of teams.exe and executes the ping command
Use case: Executes a process under a trusted Microsoft signed binary
Privileges: User
teams.exe --disable-gpu-sandbox --gpu-launcher="{CMD} &&"Detection
- IOC: %LOCALAPPDATA%\Microsoft\Teams\current\app directory created
- IOC: %LOCALAPPDATA%\Microsoft\Teams\current\app.asar file created/modified by non-Teams installer/updater
- Sigma: https://github.com/SigmaHQ/sigma/blob/43277f26fc1c81fc98fc79147b711189e901b757/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml