Potential Suspicious Mofcomp Execution

 1title: Potential Suspicious Mofcomp Execution
 2id: 1dd05363-104e-4b4a-b963-196a534b03a1
 3status: test
 4description: |
 5    Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline.
 6    The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
 7    Attackers abuse this utility to install malicious MOF scripts    
 8references:
 9    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
10    - https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml
11    - https://learn.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-07-12
14modified: 2023-04-11
15tags:
16    - attack.defense-evasion
17    - attack.t1218
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith: '\mofcomp.exe'
24        - OriginalFileName: 'mofcomp.exe'
25    selection_case:
26        - ParentImage|endswith:
27              - '\cmd.exe'
28              - '\powershell.exe'
29              - '\pwsh.exe'
30              - '\wsl.exe'
31              - '\wscript.exe'
32              - '\cscript.exe'
33        - CommandLine|contains:
34              - '\AppData\Local\Temp'
35              - '\Users\Public\'
36              - '\WINDOWS\Temp\'
37              - '%temp%'
38              - '%tmp%'
39              - '%appdata%'
40    filter_main_wmiprvse:
41        ParentImage: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
42        CommandLine|contains: 'C:\Windows\TEMP\'
43        CommandLine|endswith: '.mof'
44    filter_optional_null_parent:
45        # Sometimes the parent information isn't available from the Microsoft-Windows-Security-Auditing provider.
46        CommandLine|contains: 'C:\Windows\TEMP\'
47        CommandLine|endswith: '.mof'
48    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
49falsepositives:
50    - Unknown
51level: high

References

• SELECT XMRig FROM SQLServer

  

  In March 2022, we observed an intrusion on a public-facing Microsoft SQL Server. The end goal of this intrusion was to deploy a coin miner. Although deploying a coin miner on a vulnerable server af…

  
  Read More

• Sigma-Rules/win_mofcomp_execution.yml at 75260568a7ffe61b2458ca05f6f25914efb44337 · The-DFIR-Report/Sigma-Rules

  

  Rules generated from our investigations. Contribute to The-DFIR-Report/Sigma-Rules development by creating an account on GitHub.

  
  Read More

• mofcomp - Win32 apps

  

  The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.

  
  Read More

Related rules

• Abusing Print Executable
• AddinUtil.EXE Execution From Uncommon Directory
• AgentExecutor PowerShell Execution
• Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
• Arbitrary File Download Via MSOHTMED.EXE