As a part of threat hunting and research , I have been researching possible ways to evade EDR solutions and basic whitelisting rules to build better defence, The most challenging factor is manual threat hunting without any alerts from tools, This is where we might most like this from our naked eye.
We know about DLL sideloading method, To Load a malicious DLL when a legitimate applications calls its dependencies.
Here in this post, I will concentrate on EXE sideloading similar to DLL sideloading.
Microsoft Teams :
- Microsoft Teams update.exe / squirrel.exe binaries are prone to this technique, Microsoft Teams blindly executes any file from this path /current/payload.exe also need dummy RELEASES file inside /packages/. So the package look like this.
— > /current/payload.exe
— > /packages/RELEASES
The previous vulnerability we reported requires squirrel based applications to be installed in the machine , But this doesn’t require any squirrel based applications installed, rather a minimal package to be delivered to execute, Like we saw in PlugX malware.
As a responsible disclosure , I reported to Microsoft and they responded “did not meet the bar of security issue”.
Steps to Reproduce :
- Open the dummy package https://github.com/jreegun/POC-s/blob/master/Exe%20Sideloading/Teams_ESL.zip
- go to current folder and place your payload “Teams.exe”
- run update.exe with this argument .
- update.exe —processStart=“Teams.exe”
- Now the payload will execute with Microsoft Teams signed binary.
- This can be used by adversaries to execute their malware, which might do EDR bypass and basic whitelisting rules.
- Because the executable runs from expected signed binary , some of the defence mechanism will get bypassed.
- Example , As referred here https://docs.microsoft.com/en-us/previous-versions/bb756960(v=msdn.10) , Microsoft implemented “Installer detection” which will automatically prompts UAC when the filename is of keywords (“install,” “setup,” “update”)
- The above can be bypassed, because MS Teams update.exe doesn’t require UAC.
Tested Products : (Most of the squirrel based packages affected, I listed some of the top)
- Microsoft Teams (Affected)
- Grammarly (Affected)
- GitHub (Affected)
- Slack (Affected)
- WhatsApp (Affected)
- Discord (Affected)
Nuget is a package manager that has already built libraries, compiled dll’s and binaries.
Squirrel is a installer using packages created with Nuget , It works as one click installer.
So not all the Nuget packages are vulnerable , but all applications using Squirrel installer are vulnerable.
Microsoft Teams ->
-> app-2.1.3 (version number) / payload.exe
-> app-0.3.4479 (version number) / payload.exe
-> app-4.0.2 (version number) / payload.exe
-> app-1.5.52 (version number) / payload.exe
-> app-0.0.305 (version number) / payload.exe
I tested the remaining applications, All the applications except Microsoft Teams requires correct version folder and RELEASES file and corresponding Update file to make it work, I think it is not a big deal.
I shared the minimal package of other application here https://github.com/jreegun/POC-s/tree/master/Exe%20Sideloading , just place your payload inside version folder and execute update.exe — processStart=”payload.exe”.
Microsoft doesn’t need any requirement like this, It needs just “current” folder , packages/RELEASES (anything).