Malicious Windows Script Components File Execution by TAEF Detection

Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe

Sigma rule (View on GitHub)

 1title: Malicious Windows Script Components File Execution by TAEF Detection
 2id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b
 3status: test
 4description: |
 5  Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces
 6  Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe  
 7references:
 8    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/
 9    - https://twitter.com/pabraeken/status/993298228840992768
10    - https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/
11author: 'Agro (@agro_sev) oscd.community'
12date: 2020-10-13
13modified: 2021-11-27
14tags:
15    - attack.defense-evasion
16    - attack.t1218
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection:
22        - Image|endswith: '\te.exe'
23        - ParentImage|endswith: '\te.exe'
24        - OriginalFileName: '\te.exe'
25    condition: selection
26falsepositives:
27    - It's not an uncommon to use te.exe directly to execute legal TAEF tests
28level: low

References

Related rules

to-top