MOFComp Execution

 1title: MOFComp Execution
 2id: fd7aed23-7585-44fb-9920-5da82c740e6e
 3status: experimental
 4description: Detects abuse of mofcomp to load WMI classes i.e. to create WMI event subscriptions
 5author: _pete_0, TheDFIRReport
 6references:
 7    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
 8date: 2022-07-11
 9modified: 2022-07-11
10logsource:
11    category: process_creation
12    product: windows
13detection:
14    selection:
15        Image|endswith: '\mofcomp.exe'
16        ParentImage|endswith:
17            - '\cmd.exe'
18            - '\powershell.exe'
19    condition: selection
20fields:
21    - ParentCommandLine
22falsepositives:
23    - System administrator activities
24level: high
25tags:
26    - attack.execution
27    - attack.t1546.003

References

• SELECT XMRig FROM SQLServer

  

  In March 2022, we observed an intrusion on a public-facing Microsoft SQL Server. The end goal of this intrusion was to deploy a coin miner. Although deploying a coin miner on a vulnerable server af…

  
  Read More

Related rules

• AteraAgent malicious installations
• Nullsoft Scriptable Installer Script (NSIS) execution
• Nullsoft Scriptable Installer Script (NSIS) file creation
• Operator Bloopers Cobalt Strike Modules
• Scheduled task executing powershell encoded payload from registry