{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mofcomp/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["execution","persistence","wmi","mofcomp"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe mofcomp.exe utility is a legitimate Windows tool used to compile Managed Object Format (MOF) files, which define classes and namespaces within the Windows Management Instrumentation (WMI) repository. Attackers can abuse mofcomp.exe to inject malicious code into WMI, enabling persistent execution or other nefarious activities. This technique is often employed to establish persistence by creating WMI event subscriptions that trigger malicious actions when specific system events occur. The described detection rule focuses on identifying suspicious mofcomp.exe executions by filtering out benign activity associated with SQL Server (ScenarioEngine.exe) and the SYSTEM account, highlighting potentially malicious uses of the utility. This activity is a common post-exploitation technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the target system through methods not covered in this brief.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious MOF file onto the system. This file contains code designed to manipulate WMI.\u003c/li\u003e\n\u003cli\u003eThe attacker executes mofcomp.exe to compile the malicious MOF file. The command line includes the path to the MOF file.\u003c/li\u003e\n\u003cli\u003eMofcomp.exe compiles the MOF file and modifies the WMI repository according to the MOF file's instructions.\u003c/li\u003e\n\u003cli\u003eThe MOF file creates or modifies WMI event filters, consumers, and bindings, establishing a WMI event subscription.\u003c/li\u003e\n\u003cli\u003eA specific system event triggers the WMI event subscription.\u003c/li\u003e\n\u003cli\u003eThe WMI event subscription executes a malicious payload, such as running a script or executable.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence or executes arbitrary code on the system, maintaining their access or performing other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to achieve persistence on the compromised system, as well as execute arbitrary code. By manipulating WMI, attackers can maintain a hidden presence and control system behavior. This can lead to data theft, system compromise, or further propagation within the network. The creation of WMI event subscriptions is a common persistence mechanism, making it difficult to detect and remove.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Mofcomp Activity\u0026quot; to your SIEM to detect suspicious executions of mofcomp.exe (rule provided below).\u003c/li\u003e\n\u003cli\u003eInvestigate any process execution where \u003ccode\u003eprocess.name : \u0026quot;mofcomp.exe\u0026quot;\u003c/code\u003e and \u003ccode\u003eprocess.args : \u0026quot;*.mof\u0026quot;\u003c/code\u003e but \u003ccode\u003euser.id\u003c/code\u003e is not \u003ccode\u003e\u0026quot;S-1-5-18\u0026quot;\u003c/code\u003e as per the provided EQL query.\u003c/li\u003e\n\u003cli\u003eMonitor for new or modified WMI event filters, consumers, and bindings to identify potentially malicious WMI event subscriptions.\u003c/li\u003e\n\u003cli\u003eImplement restrictions on who can execute mofcomp.exe and modify the WMI repository to limit the attack surface.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring and command-line auditing to capture detailed information about mofcomp.exe executions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-mofcomp-activity/","summary":"Attackers may leverage the mofcomp.exe utility to compile malicious MOF files, enabling them to manipulate the Windows Management Instrumentation (WMI) repository for persistence or execution of arbitrary code.","title":"Suspicious Mofcomp Activity Leading to WMI Abuse","url":"https://feed.craftedsignal.io/briefs/2024-01-mofcomp-activity/"}],"language":"en","title":"CraftedSignal Threat Feed - Mofcomp","version":"https://jsonfeed.org/version/1.1"}