public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-27 07:18:05 +01:00
Code Issues Projects Releases Wiki Activity

update Mofcomp.yml

Browse Source 
Correction to path's
This commit is contained in:
Daniel Gott 2022-07-19 18:21:55 -04:00 committed by GitHub
parent 9814c950c8
commit 2d95c1a9d4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
yml/OSBinaries/Mofcomp.yml
View File

@ -1,6 +1,7 @@
---
Name: Mofcomp.exe
Description: A compiler that parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
Name: mofcomp.exe
Description: Compiler that parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Threat actors can leverage this binary to install malicious MOF scripts
Author: Daniel Gott
Created: 2022-07-19
Commands:
- Command: mofcomp.exe C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\xitmf
@ -19,12 +20,12 @@ Commands:
MitreID: T1047 & T1546.003
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above
Full_Path:
- Path: c:\windows\system32\mofcomp.exe
- Path: c:\windows\syswow64\mofcomp.exe
- Path: C:\Windows\System32\wbem\mofcomp.exe
- Path: C:\Windows\SysWOW64\wbem\mofcomp.exe
Code_Sample:
- Code:
Detection:
- IOC: Strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe
- IOC: strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml
- Sigma: https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml
Resources: