From a739e57bff9edd05d98c60191613c7540cd8ac5c Mon Sep 17 00:00:00 2001
From: Daniel Gott <47673777+danielgottt@users.noreply.github.com>
Date: Tue, 19 Jul 2022 13:08:56 -0400
Subject: [PATCH] Create Mofcomp.yml

Create lolbas yml entry for the Windows binary "mofcomp.exe". This relates to issue #137
---
 yml/OSBinaries/Mofcomp.yml | 40 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 yml/OSBinaries/Mofcomp.yml

diff --git a/yml/OSBinaries/Mofcomp.yml b/yml/OSBinaries/Mofcomp.yml
new file mode 100644
index 0000000..51b7366
--- /dev/null
+++ b/yml/OSBinaries/Mofcomp.yml
@@ -0,0 +1,40 @@
+---
+Name: Mofcomp.exe
+Description: A compiler that parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
+Created: 2022-07-19
+Commands:
+  - Command: mofcomp.exe C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\xitmf
+    Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository
+    Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository
+    Category: Execution and Persistence
+    Privileges: User
+    MitreID: T1047 & T1546.003 
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above
+Commands:
+  - Command: mofcomp.exe C:\Programdata\x.mof
+    Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository
+    Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository
+    Category: Execution and Persistence
+    Privileges: User
+    MitreID: T1047 & T1546.003 
+    OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above
+Full_Path:
+  - Path: c:\windows\system32\mofcomp.exe
+  - Path: c:\windows\syswow64\mofcomp.exe
+Code_Sample:
+  - Code:
+Detection:
+  - IOC: Strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe
+  - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml
+  - Sigma: https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml
+Resources:
+  - Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
+  - Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof-
+  - Link: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
+Acknowledgement:
+  - Person: Daniel Gott
+    Handle: '@gott_cyber'
+  - Person: The DFIR Report
+    Handle: '@TheDFIRReport'
+  - Person: Nasreddine Bencherchali
+    Handle: '@nas_bench'