← Back to Explore
sigmalowHunting
Malicious Windows Script Components File Execution by TAEF Detection
Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
Detection Query
selection:
- Image|endswith: \te.exe
- ParentImage|endswith: \te.exe
- OriginalFileName: \te.exe
condition: selection
Author
Agro (@agro_sev) oscd.community
Created
2020-10-13
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1218
Raw Content
title: Malicious Windows Script Components File Execution by TAEF Detection
id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b
status: test
description: |
Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces
Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/
- https://twitter.com/pabraeken/status/993298228840992768
- https://learn.microsoft.com/en-us/windows-hardware/drivers/taef/
author: 'Agro (@agro_sev) oscd.community'
date: 2020-10-13
modified: 2021-11-27
tags:
- attack.defense-evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\te.exe'
- ParentImage|endswith: '\te.exe'
- OriginalFileName: '\te.exe'
condition: selection
falsepositives:
- It's not an uncommon to use te.exe directly to execute legal TAEF tests
level: low