Malicious Windows Script Components File Execution by TAEF Detection
Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
Sigma rule (View on GitHub)
1title: Malicious Windows Script Components File Execution by TAEF Detection
2id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b
3status: test
4description: |
5 Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces
6 Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
7references:
8 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/
9 - https://twitter.com/pabraeken/status/993298228840992768
10 - https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/
11author: 'Agro (@agro_sev) oscd.community'
12date: 2020-10-13
13modified: 2021-11-27
14tags:
15 - attack.defense-evasion
16 - attack.t1218
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 - Image|endswith: '\te.exe'
23 - ParentImage|endswith: '\te.exe'
24 - OriginalFileName: '\te.exe'
25 condition: selection
26falsepositives:
27 - It's not an uncommon to use te.exe directly to execute legal TAEF tests
28level: low
References
-
te.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More -
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE