MSTeams exe side-loading - Update.exe

 1title: MSTeams exe side-loading - Update.exe
 2description: Detects execution of side-loaded executable via the update.exe, part microsoft teams' application binary.
 3status: experimental
 4date: 2022/01/12
 5author: \@kostastsale
 6references:
 7    - https://twitter.com/misconfig/status/1481198346379436035
 8    - https://twitter.com/Kostastsale/status/1481438427878858755
 9    - https://github.com/Squirrel/Squirrel.Windows/blob/0d1250aa6f0c25fe22e92add78af327d1277d97d/src/Update/Program.cs#L123
10logsource:
11    category: process_creation
12    product: windows
13detection:
14    selection1:
15        ParentCommandLine|contains|all:
16            - 'AppData\Local\Microsoft\Teams\Update.exe'
17            - '--processStart *.exe'
18        ParentImage|endswith:
19            - 'update.exe'
20    filter:
21        Image|endswith:
22            - 'Teams.exe'
23    condition: selection1 and not filter
24falsepositives:
25    - Unlikely
26level: high
27tags:
28    - attack.Defense Evasion
29    - attack.T1218```

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Squirrel.Windows/src/Update/Program.cs at 0d1250aa6f0c25fe22e92add78af327d1277d97d · Squirrel/Squirrel.Windows

  

  An installation and update framework for Windows desktop apps - Squirrel/Squirrel.Windows

  
  Read More