Mofcomp Activity
Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or establish persistence using WMI Event Subscription.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/23"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/04/05"
8
9[rule]
10author = ["Elastic"]
11description = """
12Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF
13files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or
14establish persistence using WMI Event Subscription.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.process-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Mofcomp Activity"
21risk_score = 21
22rule_id = "210d4430-b371-470e-b879-80b7182aa75e"
23severity = "low"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29process where host.os.type == "windows" and event.type == "start" and
30 process.name : "mofcomp.exe" and process.args : "*.mof" and
31 not user.id : "S-1-5-18" and
32 not
33 (
34 process.parent.name : "ScenarioEngine.exe" and
35 process.args : (
36 "*\\MSSQL\\Binn\\*.mof",
37 "*\\Microsoft SQL Server\\???\\Shared\\*.mof",
38 "*\\OLAP\\bin\\*.mof"
39 )
40 )
41'''
42
43[[rule.threat]]
44framework = "MITRE ATT&CK"
45
46[[rule.threat.technique]]
47id = "T1047"
48name = "Windows Management Instrumentation"
49reference = "https://attack.mitre.org/techniques/T1047/"
50
51[rule.threat.tactic]
52id = "TA0002"
53name = "Execution"
54reference = "https://attack.mitre.org/tactics/TA0002/"
55
56[[rule.threat]]
57framework = "MITRE ATT&CK"
58[[rule.threat.technique]]
59id = "T1546"
60name = "Event Triggered Execution"
61reference = "https://attack.mitre.org/techniques/T1546/"
62[[rule.threat.technique.subtechnique]]
63id = "T1546.003"
64name = "Windows Management Instrumentation Event Subscription"
65reference = "https://attack.mitre.org/techniques/T1546/003/"
66
67
68
69[rule.threat.tactic]
70id = "TA0003"
71name = "Persistence"
72reference = "https://attack.mitre.org/tactics/TA0003/"
Related rules
- Delayed Execution via Ping
- Downloaded Shortcut Files
- Downloaded URL Files
- Svchost spawning Cmd
- Clearing Windows Console History