MSTeams exe side-loading - Update.exe

 1title: MSTeams exe side-loading - Update.exe
 2id: dafa6fd4-dcda-4ef2-81c9-4bf33ce4c299
 3description: Detects execution of side-loaded executable via the update.exe, part microsoft teams' application binary.
 4status: experimental
 5date: 2022/01/12
 6author: \@kostastsale
 7references:
 8    - https://twitter.com/misconfig/status/1481198346379436035
 9    - https://twitter.com/Kostastsale/status/1481438427878858755
10    - https://github.com/Squirrel/Squirrel.Windows/blob/0d1250aa6f0c25fe22e92add78af327d1277d97d/src/Update/Program.cs#L123
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection1:
16        ParentCommandLine|contains|all:
17            - 'AppData\Local\Microsoft\Teams\Update.exe'
18            - '--processStart *.exe'
19        ParentImage|endswith:
20            - 'update.exe'
21    filter:
22        Image|endswith:
23            - 'Teams.exe'
24    condition: selection1 and not filter
25falsepositives:
26    - Unlikely
27level: high
28tags:
29    - attack.Defense Evasion
30    - attack.T1218```

References

• x.com

  
  Read More

• x.com

  
  Read More

• Squirrel.Windows/src/Update/Program.cs at 0d1250aa6f0c25fe22e92add78af327d1277d97d · Squirrel/Squirrel.Windows

  

  An installation and update framework for Windows desktop apps - Squirrel/Squirrel.Windows

  
  Read More

Related rules

• CMSTP installation of malicious code
• Dumpbin LOLBin use for proxying execution via link.exe
• Wermgr.exe spawning without command line arguments
• VSDiagnostics used for proxying execution malicious binaries