LOLBAS/yml/OSBinaries/Mofcomp.yml

---
Name: Mofcomp.exe
Description: A compiler that parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
Created: 2022-07-19
Commands:
  - Command: mofcomp.exe C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\xitmf
    Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository
    Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository
    Category: Execution and Persistence
    Privileges: User
    MitreID: T1047 & T1546.003 
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above
Commands:
  - Command: mofcomp.exe C:\Programdata\x.mof
    Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository
    Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository
    Category: Execution and Persistence
    Privileges: User
    MitreID: T1047 & T1546.003 
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above
Full_Path:
  - Path: c:\windows\system32\mofcomp.exe
  - Path: c:\windows\syswow64\mofcomp.exe
Code_Sample:
  - Code:
Detection:
  - IOC: Strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe
  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml
  - Sigma: https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml
Resources:
  - Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
  - Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof-
  - Link: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
  - Link: https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
  - Link: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96
Acknowledgement:
  - Person: Daniel Gott
    Handle: '@gott_cyber'
  - Person: The DFIR Report
    Handle: '@TheDFIRReport'
  - Person: Nasreddine Bencherchali
    Handle: '@nas_bench'
Create Mofcomp.yml Create lolbas yml entry for the Windows binary "mofcomp.exe". This relates to issue #137 2022-07-19 19:08:56 +02:00			`---`
			`Name: Mofcomp.exe`
			`Description: A compiler that parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.`
			`Created: 2022-07-19`
			`Commands:`
			`- Command: mofcomp.exe C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\xitmf`
			`Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository`
			`Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository`
			`Category: Execution and Persistence`
			`Privileges: User`
			`MitreID: T1047 & T1546.003`
			`OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above`
			`Commands:`
			`- Command: mofcomp.exe C:\Programdata\x.mof`
			`Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository`
			`Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository`
			`Category: Execution and Persistence`
			`Privileges: User`
			`MitreID: T1047 & T1546.003`
			`OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above`
			`Full_Path:`
			`- Path: c:\windows\system32\mofcomp.exe`
			`- Path: c:\windows\syswow64\mofcomp.exe`
			`Code_Sample:`
			`- Code:`
			`Detection:`
			`- IOC: Strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe`
			`- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml`
			`- Sigma: https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml`
			`Resources:`
			`- Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp`
			`- Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof-`
			`- Link: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/`
Update Mofcomp.yml Added additional resources for detection via PowerShell etc 2022-07-19 19:13:39 +02:00			`- Link: https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/`
			`- Link: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96`
Create Mofcomp.yml Create lolbas yml entry for the Windows binary "mofcomp.exe". This relates to issue #137 2022-07-19 19:08:56 +02:00			`Acknowledgement:`
			`- Person: Daniel Gott`
			`Handle: '@gott_cyber'`
			`- Person: The DFIR Report`
			`Handle: '@TheDFIRReport'`
			`- Person: Nasreddine Bencherchali`
			`Handle: '@nas_bench'`