forked from LOLBAS-Project/LOLBAS
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create lolbas yml entry for the Windows binary "mofcomp.exe". This relates to issue LOLBAS-Project#137
- Loading branch information
1 parent
8283d8d
commit a739e57
Showing
1 changed file
with
40 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| --- | ||
| Name: Mofcomp.exe | ||
| Description: A compiler that parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. | ||
| Created: 2022-07-19 | ||
| Commands: | ||
| - Command: mofcomp.exe C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\xitmf | ||
| Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository | ||
| Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository | ||
| Category: Execution and Persistence | ||
| Privileges: User | ||
| MitreID: T1047 & T1546.003 | ||
| OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above | ||
| Commands: | ||
| - Command: mofcomp.exe C:\Programdata\x.mof | ||
| Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository | ||
| Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository | ||
| Category: Execution and Persistence | ||
| Privileges: User | ||
| MitreID: T1047 & T1546.003 | ||
| OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above | ||
| Full_Path: | ||
| - Path: c:\windows\system32\mofcomp.exe | ||
| - Path: c:\windows\syswow64\mofcomp.exe | ||
| Code_Sample: | ||
| - Code: | ||
| Detection: | ||
| - IOC: Strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe | ||
| - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml | ||
| - Sigma: https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml | ||
| Resources: | ||
| - Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp | ||
| - Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof- | ||
| - Link: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ | ||
| Acknowledgement: | ||
| - Person: Daniel Gott | ||
| Handle: '@gott_cyber' | ||
| - Person: The DFIR Report | ||
| Handle: '@TheDFIRReport' | ||
| - Person: Nasreddine Bencherchali | ||
| Handle: '@nas_bench' |