Mofcomp Activity
Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or establish persistence using WMI Event Subscription.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/23"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF
11files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or
12establish persistence using WMI Event Subscription.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.process-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Mofcomp Activity"
19risk_score = 21
20rule_id = "210d4430-b371-470e-b879-80b7182aa75e"
21severity = "low"
22tags = [
23 "Domain: Endpoint",
24 "OS: Windows",
25 "Use Case: Threat Detection",
26 "Tactic: Execution",
27 "Data Source: Elastic Defend",
28]
29timestamp_override = "event.ingested"
30type = "eql"
31
32query = '''
33process where host.os.type == "windows" and event.type == "start" and
34 process.name : "mofcomp.exe" and process.args : "*.mof" and
35 not user.id : "S-1-5-18" and
36 not
37 (
38 process.parent.name : "ScenarioEngine.exe" and
39 process.args : (
40 "*\\MSSQL\\Binn\\*.mof",
41 "*\\Microsoft SQL Server\\???\\Shared\\*.mof",
42 "*\\OLAP\\bin\\*.mof"
43 )
44 )
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1047"
52name = "Windows Management Instrumentation"
53reference = "https://attack.mitre.org/techniques/T1047/"
54
55
56[rule.threat.tactic]
57id = "TA0002"
58name = "Execution"
59reference = "https://attack.mitre.org/tactics/TA0002/"
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1546"
64name = "Event Triggered Execution"
65reference = "https://attack.mitre.org/techniques/T1546/"
66[[rule.threat.technique.subtechnique]]
67id = "T1546.003"
68name = "Windows Management Instrumentation Event Subscription"
69reference = "https://attack.mitre.org/techniques/T1546/003/"
70
71
72
73[rule.threat.tactic]
74id = "TA0003"
75name = "Persistence"
76reference = "https://attack.mitre.org/tactics/TA0003/"
Related rules
- Clearing Windows Console History
- Command Execution via SolarWinds Process
- Command Prompt Network Connection
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process