public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-11-04 10:39:56 +01:00
Code Issues Projects Releases Wiki Activity

Minor changes to invoke CI checks

Browse Source
This commit is contained in:
Wietze
2023-08-05 19:14:22 +01:00
committed by GitHub
parent 2d95c1a9d4
commit dc1bdf0ff9
1 changed files with 4 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
yml/OSBinaries/Mofcomp.yml
View File

@@ -9,21 +9,19 @@ Commands:
Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository
Category: Execution and Persistence Category: Execution and Persistence
Privileges: User Privileges: User
MitreID: T1047 & T1546.003 MitreID: T1047
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above
Commands: Commands:
- Command: mofcomp.exe C:\Programdata\x.mof - Command: mofcomp.exe C:\Programdata\x.mof
Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository
Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository
Category: Execution and Persistence Category: Execution and Persistence
Privileges: User Privileges: User
MitreID: T1047 & T1546.003 MitreID: T1047
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above
Full_Path: Full_Path:
- Path: C:\Windows\System32\wbem\mofcomp.exe - Path: C:\Windows\System32\wbem\mofcomp.exe
- Path: C:\Windows\SysWOW64\wbem\mofcomp.exe - Path: C:\Windows\SysWOW64\wbem\mofcomp.exe
Code_Sample:
- Code:
Detection: Detection:
- IOC: strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe - IOC: strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml