Since the start of the pandemic, video conferencing solutions have become an integral part of the workflow in many organizations. First, Zoom took the lead, and many cybercriminals immediately began using it in phishing campaigns, taking advantage of the fact that a huge number of employees had not previously used this technology. Soon, security researchers discovered gaps that could only be partially closed with the right settings, and organizations switched to Google Meet and Microsoft Teams. Naturally, security researchers have started to pay more attention to these solutions and find ways that cybercriminals can use during attacks. And today we invite you to pay attention to the community rule developed by Den Iuzvik that uncovers Microsoft Teams updater abuse: https://tdm.socprime.com/tdm/info/bV4m9VDDoGhV/dfNMw3MBQAH5UgbBqDoT/?p=1
Adversaries can use the Microsoft Teams Updater to download any binary or payload they wish as the updater allows local connections via a share or local folder for product updates. Thus, adversaries can drop the malicious file inside the targeted organization network in an open shared folder and then access the payload from that share to the victim machine. Attackers can use this method to hide the malicious traffic, and since the installation is in the local user Appdata folder, no privileged access is needed.
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint
Tactics: Execution, Defense Evasion
Techniques: Signed Binary Proxy Execution (T1218)