Rule of the Week: Microsoft Teams Updater Abuse

Since the start of the pandemic, video conferencing solutions have become an integral part of the workflow in many organizations. First, Zoom took the lead, and many cybercriminals immediately began using it in phishing campaigns, taking advantage of the fact that a huge number of employees had not previously used this technology. Soon, security researchers discovered gaps that could only be partially closed with the right settings, and organizations switched to Google Meet and Microsoft Teams. Naturally, security researchers have started to pay more attention to these solutions and find ways that cybercriminals can use during attacks. And today we invite you to pay attention to the community rule developed by Den Iuzvik that uncovers Microsoft Teams updater abuse: https://tdm.socprime.com/tdm/info/bV4m9VDDoGhV/dfNMw3MBQAH5UgbBqDoT/?p=1

Adversaries can use the Microsoft Teams Updater to download any binary or payload they wish as the updater allows local connections via a share or local folder for product updates. Thus, adversaries can drop the malicious file inside the targeted organization network in an open shared folder and then access the payload from that share to the victim machine. Attackers can use this method to hide the malicious traffic, and since the installation is in the local user Appdata folder, no privileged access is needed.

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Execution, Defense Evasion

Techniques: Signed Binary Proxy Execution (T1218)

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.