Mofcomp Activity

calendar Nov 4, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Execution Data Source: Elastic Defend Data Source: Microsoft Defender for Endpoint Data Source: Elastic Endgame Data Source: System Data Source: Crowdstrike  ·
Share on: linkedin copy

Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or establish persistence using WMI Event Subscription.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/08/23"
 3integration = ["endpoint", "m365_defender", "system", "crowdstrike"]
 4maturity = "production"
 5updated_date = "2024/10/31"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF
11files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or
12establish persistence using WMI Event Subscription.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security-*", "logs-crowdstrike.fdr*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Mofcomp Activity"
19risk_score = 21
20rule_id = "210d4430-b371-470e-b879-80b7182aa75e"
21severity = "low"
22tags = [
23    "Domain: Endpoint",
24    "OS: Windows",
25    "Use Case: Threat Detection",
26    "Tactic: Execution",
27    "Data Source: Elastic Defend",
28    "Data Source: Microsoft Defender for Endpoint",
29    "Data Source: Elastic Endgame",
30    "Data Source: System",
31    "Data Source: Crowdstrike",
32]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37process where host.os.type == "windows" and event.type == "start" and
38  process.name : "mofcomp.exe" and process.args : "*.mof" and
39  not user.id : "S-1-5-18" and
40  not
41  (
42    process.parent.name : "ScenarioEngine.exe" and
43    process.args : (
44      "*\\MSSQL\\Binn\\*.mof",
45      "*\\Microsoft SQL Server\\???\\Shared\\*.mof",
46      "*\\OLAP\\bin\\*.mof"
47    )
48  )
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1047"
56name = "Windows Management Instrumentation"
57reference = "https://attack.mitre.org/techniques/T1047/"
58
59
60[rule.threat.tactic]
61id = "TA0002"
62name = "Execution"
63reference = "https://attack.mitre.org/tactics/TA0002/"
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1546"
68name = "Event Triggered Execution"
69reference = "https://attack.mitre.org/techniques/T1546/"
70[[rule.threat.technique.subtechnique]]
71id = "T1546.003"
72name = "Windows Management Instrumentation Event Subscription"
73reference = "https://attack.mitre.org/techniques/T1546/003/"
74
75
76
77[rule.threat.tactic]
78id = "TA0003"
79name = "Persistence"
80reference = "https://attack.mitre.org/tactics/TA0003/"

Related rules

to-top