LOLBAS/yml/OSBinaries/Mofcomp.yml

---
Name: mofcomp.exe
Description: Compiler that parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Threat actors can leverage this binary to install malicious MOF scripts
Author: Daniel Gott
Created: 2022-07-19
Commands:
  - Command: mofcomp.exe C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\xitmf
    Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository
    Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository
    Category: Execute
    Privileges: User
    MitreID: T1047
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above
  - Command: mofcomp.exe C:\Programdata\x.mof
    Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository
    Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository
    Category: Execute
    Privileges: User
    MitreID: T1047
    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above
Full_Path:
  - Path: C:\Windows\System32\wbem\mofcomp.exe
  - Path: C:\Windows\SysWOW64\wbem\mofcomp.exe
Detection:
  - IOC: strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe
  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml
  - Sigma: https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml
Resources:
  - Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
  - Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof-
  - Link: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
  - Link: https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
  - Link: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96
Acknowledgement:
  - Person: Daniel Gott
    Handle: '@gott_cyber'
  - Person: The DFIR Report
    Handle: '@TheDFIRReport'
  - Person: Nasreddine Bencherchali
    Handle: '@nas_bench'
Create Mofcomp.yml Create lolbas yml entry for the Windows binary "mofcomp.exe". This relates to issue #137 2022-07-19 19:08:56 +02:00			`---`
update Mofcomp.yml Correction to path's 2022-07-20 00:21:55 +02:00			`Name: mofcomp.exe`
			`Description: Compiler that parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Threat actors can leverage this binary to install malicious MOF scripts`
			`Author: Daniel Gott`
Create Mofcomp.yml Create lolbas yml entry for the Windows binary "mofcomp.exe". This relates to issue #137 2022-07-19 19:08:56 +02:00			`Created: 2022-07-19`
			`Commands:`
			`- Command: mofcomp.exe C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\xitmf`
			`Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository`
			`Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository`
Update Mofcomp.yml YAML Syntax 2023-10-07 04:04:06 +02:00			`Category: Execute`
Create Mofcomp.yml Create lolbas yml entry for the Windows binary "mofcomp.exe". This relates to issue #137 2022-07-19 19:08:56 +02:00			`Privileges: User`
Update Mofcomp.yml Correcting YAML errors 2023-10-07 03:58:12 +02:00			`MitreID: T1047`
Minor changes to invoke CI checks 2023-08-05 20:14:22 +02:00			`OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above`
Create Mofcomp.yml Create lolbas yml entry for the Windows binary "mofcomp.exe". This relates to issue #137 2022-07-19 19:08:56 +02:00			`- Command: mofcomp.exe C:\Programdata\x.mof`
			`Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository`
			`Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository`
Update Mofcomp.yml YAML Syntax 2023-10-07 04:04:06 +02:00			`Category: Execute`
Create Mofcomp.yml Create lolbas yml entry for the Windows binary "mofcomp.exe". This relates to issue #137 2022-07-19 19:08:56 +02:00			`Privileges: User`
Minor changes to invoke CI checks 2023-08-05 20:14:22 +02:00			`MitreID: T1047`
			`OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above`
Create Mofcomp.yml Create lolbas yml entry for the Windows binary "mofcomp.exe". This relates to issue #137 2022-07-19 19:08:56 +02:00			`Full_Path:`
update Mofcomp.yml Correction to path's 2022-07-20 00:21:55 +02:00			`- Path: C:\Windows\System32\wbem\mofcomp.exe`
			`- Path: C:\Windows\SysWOW64\wbem\mofcomp.exe`
Create Mofcomp.yml Create lolbas yml entry for the Windows binary "mofcomp.exe". This relates to issue #137 2022-07-19 19:08:56 +02:00			`Detection:`
update Mofcomp.yml Correction to path's 2022-07-20 00:21:55 +02:00			`- IOC: strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe`
Create Mofcomp.yml Create lolbas yml entry for the Windows binary "mofcomp.exe". This relates to issue #137 2022-07-19 19:08:56 +02:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml`
			`- Sigma: https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml`
			`Resources:`
			`- Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp`
			`- Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof-`
			`- Link: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/`
Update Mofcomp.yml Added additional resources for detection via PowerShell etc 2022-07-19 19:13:39 +02:00			`- Link: https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/`
			`- Link: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96`
Create Mofcomp.yml Create lolbas yml entry for the Windows binary "mofcomp.exe". This relates to issue #137 2022-07-19 19:08:56 +02:00			`Acknowledgement:`
			`- Person: Daniel Gott`
			`Handle: '@gott_cyber'`
			`- Person: The DFIR Report`
			`Handle: '@TheDFIRReport'`
			`- Person: Nasreddine Bencherchali`
			`Handle: '@nas_bench'`