<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mofcomp - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/mofcomp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/mofcomp/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious Mofcomp Activity Leading to WMI Abuse</title><link>https://feed.craftedsignal.io/briefs/2024-01-mofcomp-activity/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-mofcomp-activity/</guid><description>Attackers may leverage the mofcomp.exe utility to compile malicious MOF files, enabling them to manipulate the Windows Management Instrumentation (WMI) repository for persistence or execution of arbitrary code.</description><content:encoded><![CDATA[<p>The mofcomp.exe utility is a legitimate Windows tool used to compile Managed Object Format (MOF) files, which define classes and namespaces within the Windows Management Instrumentation (WMI) repository. Attackers can abuse mofcomp.exe to inject malicious code into WMI, enabling persistent execution or other nefarious activities. This technique is often employed to establish persistence by creating WMI event subscriptions that trigger malicious actions when specific system events occur. The described detection rule focuses on identifying suspicious mofcomp.exe executions by filtering out benign activity associated with SQL Server (ScenarioEngine.exe) and the SYSTEM account, highlighting potentially malicious uses of the utility. This activity is a common post-exploitation technique.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to the target system through methods not covered in this brief.</li>
<li>The attacker drops a malicious MOF file onto the system. This file contains code designed to manipulate WMI.</li>
<li>The attacker executes mofcomp.exe to compile the malicious MOF file. The command line includes the path to the MOF file.</li>
<li>Mofcomp.exe compiles the MOF file and modifies the WMI repository according to the MOF file's instructions.</li>
<li>The MOF file creates or modifies WMI event filters, consumers, and bindings, establishing a WMI event subscription.</li>
<li>A specific system event triggers the WMI event subscription.</li>
<li>The WMI event subscription executes a malicious payload, such as running a script or executable.</li>
<li>The attacker achieves persistence or executes arbitrary code on the system, maintaining their access or performing other malicious actions.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to achieve persistence on the compromised system, as well as execute arbitrary code. By manipulating WMI, attackers can maintain a hidden presence and control system behavior. This can lead to data theft, system compromise, or further propagation within the network. The creation of WMI event subscriptions is a common persistence mechanism, making it difficult to detect and remove.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Mofcomp Activity&quot; to your SIEM to detect suspicious executions of mofcomp.exe (rule provided below).</li>
<li>Investigate any process execution where <code>process.name : &quot;mofcomp.exe&quot;</code> and <code>process.args : &quot;*.mof&quot;</code> but <code>user.id</code> is not <code>&quot;S-1-5-18&quot;</code> as per the provided EQL query.</li>
<li>Monitor for new or modified WMI event filters, consumers, and bindings to identify potentially malicious WMI event subscriptions.</li>
<li>Implement restrictions on who can execute mofcomp.exe and modify the WMI repository to limit the attack surface.</li>
<li>Enable process monitoring and command-line auditing to capture detailed information about mofcomp.exe executions.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>execution</category><category>persistence</category><category>wmi</category><category>mofcomp</category></item></channel></rss>