security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

te.exe LOLbin detection

Browse Source
This commit is contained in:
uncleP@sk
2020-10-14 13:02:45 +03:00
parent c56cd2dfff
commit 8fdca7853c
1 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_susp_use_of_te_bin.yml
+27
View File
@@ -0,0 +1,27 @@
title: Malicious WSC (Windows Script Components) File Execution by TAEF Detection
id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b
status: experimental
description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces). Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Te.yml
- https://twitter.com/pabraeken/status/993298228840992768
- https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/
tags:
- attack.t1218
author: Agro (@agro_sev) oscd.community
date: 2020/10/13
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith: '\te.exe'
selection2:
ParentImage|endswith: '\te.exe'
selection3:
OriginalFileName: '\te.exe'
condition: selection1 or selection2 or selection3
falsepositives:
- It's not an uncommon to use te.exe directly to execute legal TAEF tests
level: low