Malicious Windows Script Components File Execution by TAEF Detection
Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
Sigma rule (View on GitHub)
1title: Malicious Windows Script Components File Execution by TAEF Detection
2id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b
3status: test
4description: |
5 Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces
6 Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
7references:
8 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/
9 - https://twitter.com/pabraeken/status/993298228840992768
10 - https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/
11author: 'Agro (@agro_sev) oscd.community'
12date: 2020/10/13
13modified: 2021/11/27
14tags:
15 - attack.defense_evasion
16 - attack.t1218
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection:
22 - Image|endswith: '\te.exe'
23 - ParentImage|endswith: '\te.exe'
24 - OriginalFileName: '\te.exe'
25 condition: selection
26falsepositives:
27 - It's not an uncommon to use te.exe directly to execute legal TAEF tests
28level: low
References
-
Input: Custom Format This LOLBAS expects the input file to follow a set structure; check the description and linked resources for more details.
Read More -
-
Related rules
- Execute Files with Msdeploy.exe
- MSI Installation From Web
- Potential Password Spraying Attempt Using Dsacls.EXE
- Potentially Over Permissive Permissions Granted Using Dsacls.EXE
- Potentially Suspicious Child Process Of DiskShadow.EXE