MSTeams exe side-loading - Update.exe
Detects execution of side-loaded executable via the update.exe, part microsoft teams' application binary.
Sigma rule (View on GitHub)
1title: MSTeams exe side-loading - Update.exe
2description: Detects execution of side-loaded executable via the update.exe, part microsoft teams' application binary.
3status: experimental
4date: 2022/01/12
5author: \@kostastsale
6references:
7 - https://twitter.com/misconfig/status/1481198346379436035
8 - https://twitter.com/Kostastsale/status/1481438427878858755
9 - https://github.com/Squirrel/Squirrel.Windows/blob/0d1250aa6f0c25fe22e92add78af327d1277d97d/src/Update/Program.cs#L123
10logsource:
11 category: process_creation
12 product: windows
13detection:
14 selection1:
15 ParentCommandLine|contains|all:
16 - 'AppData\Local\Microsoft\Teams\Update.exe'
17 - '--processStart *.exe'
18 ParentImage|endswith:
19 - 'update.exe'
20 filter:
21 Image|endswith:
22 - 'Teams.exe'
23 condition: selection1 and not filter
24falsepositives:
25 - Unlikely
26level: high
27tags:
28 - attack.Defense Evasion
29 - attack.T1218```