Forum Discussion
Solved
Teams Updater Vulnerability
There are reports circulating that the Teams auto-update process suffers from the same unsigned code execution as other application built with Electron. Running the Update.exe processStart wit...
This particular squirrel vulnerability was fixed in Teams version 1.2.00.21068.
Thanks!
John
Yep, the problem is with squirrel and affects a long list of apps.
but, you can hunt for them with defender ATP
ProcessCreationEvents
| where ProcessCommandLine has "update.exe"
| where (ProcessCommandLine contains "http") and (ProcessCommandLine contains "--update")
| extend exeURL = case(ProcessCommandLine has "=",split(ProcessCommandLine, "=", 1),
ProcessCommandLine !has "=", split(ProcessCommandLine, "--update ",1),
"Default")
| where exeURL != "Default"
| sort by EventTime desc
|project EventTime,
ComputerName,
exeURL,
FolderPath,
ProcessCommandLine,
AccountName,
InitiatingProcessCommandLine,
ReportId,
ProcessId,
InitiatingProcessId
this query only focuses on the update part but you can easily change this to include the procstart param
http://blog.sec-labs.com/2019/07/hunt-for-nuget-squirrel-update/
Mattias Borg Awesome. Great tip. I dig go looking for a Defender ATP hunt command but obviously did not look hard enough.
Andrew Matthews I've updated the query to catch all parameters used by squirrel and 2 URLs I know are legit. Other apps using squirrel which are also affected by this
ProcessCreationEvents| where (ProcessCommandLine has "update.exe") or (ProcessCommandLine has "squirrel.exe")| where (ProcessCommandLine contains "http")| extend URL=extract(@"((http:|https:)+[^\s]+[\w])", 1, ProcessCommandLine)| where URL !in ("https://slack.com/desktop/update/windows_x64", "https://discordapp.com/api/updates/stable")| sort by EventTime desc| project EventTime,ComputerName,URL,FolderPath,ProcessCommandLine,AccountName,InitiatingProcessCommandLine,ReportId,ProcessId,InitiatingProcessIdHappy Hunting!