Detects the usage of the “Squirrel.exe” binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
title: Process Proxy Execution Via Squirrel.EXE
id: 45239e6a-b035-4aaf-b339-8ad379fcb67e
related:
- id: 1e75c1cc-c5d4-42aa-ac3d-91b0b68b3b4c
type: similar
- id: fa4b21c9-0057-4493-b289-2556416ae4d7
type: obsolete
status: test
description: |
Detects the usage of the "Squirrel.exe" binary to execute arbitrary processes. This binary is part of multiple Electron based software installations (Slack, Teams, Discord, etc.)
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/
- http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/
- http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/
author: Nasreddine Bencherchali (Nextron Systems), Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community
date: 2022-06-09
modified: 2025-10-07
tags:
- attack.execution
- attack.stealth
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith:
- '\squirrel.exe'
- '\update.exe'
selection_exec:
CommandLine|contains:
- '--processStart'
- '--processStartAndWait'
- '--createShortcut'
filter_optional_discord:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\Discord\Update.exe'
- 'Discord.exe'
CommandLine|contains:
- '--createShortcut'
- '--processStart'
filter_optional_github_desktop:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\GitHubDesktop\Update.exe'
- 'GitHubDesktop.exe'
CommandLine|contains:
- '--createShortcut'
- '--processStartAndWait'
filter_optional_teams:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\Microsoft\Teams\Update.exe'
- 'Teams.exe'
CommandLine|contains:
- '--processStart'
- '--createShortcut'
filter_optional_yammer:
CommandLine|contains|all:
- ':\Users\'
- '\AppData\Local\yammerdesktop\Update.exe'
- 'Yammer.exe'
CommandLine|contains:
- '--processStart'
- '--createShortcut'
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Expected FP with some Electron based applications such as (1Clipboard, Beaker Browser, Caret, Discord, GitHub Desktop, etc.)
level: medium
imProcessCreate
| where ((TargetProcessName endswith "\\squirrel.exe" or TargetProcessName endswith "\\update.exe") and (TargetProcessCommandLine contains "--processStart" or TargetProcessCommandLine contains "--processStartAndWait" or TargetProcessCommandLine contains "--createShortcut")) and (not((((TargetProcessCommandLine contains ":\\Users\\" and TargetProcessCommandLine contains "\\AppData\\Local\\Discord\\Update.exe" and TargetProcessCommandLine contains "Discord.exe") and (TargetProcessCommandLine contains "--createShortcut" or TargetProcessCommandLine contains "--processStart")) or ((TargetProcessCommandLine contains ":\\Users\\" and TargetProcessCommandLine contains "\\AppData\\Local\\GitHubDesktop\\Update.exe" and TargetProcessCommandLine contains "GitHubDesktop.exe") and (TargetProcessCommandLine contains "--createShortcut" or TargetProcessCommandLine contains "--processStartAndWait")) or ((TargetProcessCommandLine contains ":\\Users\\" and TargetProcessCommandLine contains "\\AppData\\Local\\Microsoft\\Teams\\Update.exe" and TargetProcessCommandLine contains "Teams.exe") and (TargetProcessCommandLine contains "--processStart" or TargetProcessCommandLine contains "--createShortcut")) or ((TargetProcessCommandLine contains ":\\Users\\" and TargetProcessCommandLine contains "\\AppData\\Local\\yammerdesktop\\Update.exe" and TargetProcessCommandLine contains "Yammer.exe") and (TargetProcessCommandLine contains "--processStart" or TargetProcessCommandLine contains "--createShortcut")))))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |