public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2024-12-29 08:17:51 +01:00
Code Issues Projects Releases Wiki Activity
81688557d0
LOLBAS/yml/OSBinaries/Mofcomp.yml
Conor Richard 81688557d0
Update Mofcomp.yml 
Correcting YAML errors
2023-10-06 21:58:12 -04:00

41 lines
2.4 KiB
YAML
Raw Blame History

---
Name: mofcomp.exe
Description: Compiler that parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Threat actors can leverage this binary to install malicious MOF scripts
Author: Daniel Gott
Created: 2022-07-19
Commands:
- Command: mofcomp.exe C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\xitmf
Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository
Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository
Category: Execution and Persistence
Privileges: User
MitreID: T1047
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above
- Command: mofcomp.exe C:\Programdata\x.mof
Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository
Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository
Category: Execution and Persistence
Privileges: User
MitreID: T1047
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above
Full_Path:
- Path: C:\Windows\System32\wbem\mofcomp.exe
- Path: C:\Windows\SysWOW64\wbem\mofcomp.exe
Detection:
- IOC: strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml
- Sigma: https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml
Resources:
- Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
- Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof-
- Link: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
- Link: https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
- Link: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96
Acknowledgement:
- Person: Daniel Gott
Handle: '@gott_cyber'
- Person: The DFIR Report
Handle: '@TheDFIRReport'
- Person: Nasreddine Bencherchali
Handle: '@nas_bench'
Reference in New Issue View Git Blame Copy Permalink