Suspicious Mofcomp Activity

The rule detects suspicious usage of mofcomp.exe, a command-line tool used to compile Managed Object Format (MOF) files. Attackers can abuse MOF files to manipulate the Windows Management Instrumentation (WMI) repository by building malicious WMI scripts for persistence or execution. This can be achieved by creating their own namespaces and classes within WMI or establishing persistence through WMI Event Subscriptions. The rule identifies unusual mofcomp.exe activity by filtering out legitimate processes and focusing on unusual executions, excluding known safe parent processes like ScenarioEngine.exe and system accounts (S-1-5-18). This detection is designed to work with data from Elastic Defend, Microsoft Defender XDR, Crowdstrike, and Windows Security Event Logs. The rule aims to detect potential misuse of WMI for malicious purposes, enhancing the visibility of attacker techniques for execution and persistence.

Attack Chain

1. An attacker gains initial access to the system (e.g., through phishing or exploitation of a vulnerability).
2. The attacker uploads a malicious MOF file to the compromised system.
3. The attacker executes mofcomp.exe to compile the malicious MOF file.
4. mofcomp.exe processes the MOF file, creating new namespaces and classes or modifying existing ones in the WMI repository.
5. If the MOF file creates a WMI Event Subscription, it triggers the execution of a malicious script or binary when a specific event occurs.
6. The malicious script or binary executes, performing actions such as installing malware, creating backdoors, or exfiltrating data.
7. The attacker maintains persistence through the WMI Event Subscription, ensuring continued access even after system reboots.

Impact

Successful exploitation via malicious MOF files can lead to persistent access, code execution, and system compromise. Attackers can use this technique to install malware, create backdoors, or steal sensitive data. The rule aims to detect early stages of such attacks, preventing significant damage. By establishing persistence, attackers can maintain long-term control over the compromised system, evading traditional detection methods.

Recommendation

• Deploy the provided Sigma rules to your SIEM to detect suspicious mofcomp.exe activity and tune for your environment.
• Enable process creation logging and command-line auditing on Windows systems to capture necessary events for the provided Sigma rules.
• Investigate any alerts generated by the Sigma rules, focusing on unusual MOF file paths, parent processes, and user accounts.
• Review and monitor WMI namespaces and classes for unauthorized modifications or additions following any detected suspicious mofcomp.exe activity.