Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create Mofcomp.yml #236

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Create Mofcomp.yml #236

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
a739e57
Create Mofcomp.yml
danielgottt Jul 19, 2022
9814c95
Update Mofcomp.yml
danielgottt Jul 19, 2022
2d95c1a
update Mofcomp.yml
danielgottt Jul 19, 2022
dc1bdf0
Minor changes to invoke CI checks
wietze Aug 5, 2023
8168855
Update Mofcomp.yml
xenoscr Oct 7, 2023
bc58497
Update Mofcomp.yml
xenoscr Oct 7, 2023
d2eb56d
Update Mofcomp.yml
xenoscr Oct 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions yml/OSBinaries/Mofcomp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
Name: mofcomp.exe
Description: Compiler that parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Threat actors can leverage this binary to install malicious MOF scripts
Author: Daniel Gott
Created: 2022-07-19
Commands:
- Command: mofcomp.exe C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\xitmf
Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository
Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository
Category: Execute
Privileges: User
MitreID: T1047
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above
- Command: mofcomp.exe C:\Programdata\x.mof
Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository
Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository
Category: Execute
Privileges: User
MitreID: T1047
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above
Full_Path:
- Path: C:\Windows\System32\wbem\mofcomp.exe
- Path: C:\Windows\SysWOW64\wbem\mofcomp.exe
Detection:
- IOC: strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml
- Sigma: https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml
Resources:
- Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
- Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof-
- Link: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
- Link: https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
- Link: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96
Acknowledgement:
- Person: Daniel Gott
Handle: '@gott_cyber'
- Person: The DFIR Report
Handle: '@TheDFIRReport'
- Person: Nasreddine Bencherchali
Handle: '@nas_bench'