From a739e57bff9edd05d98c60191613c7540cd8ac5c Mon Sep 17 00:00:00 2001 From: Daniel Gott <47673777+danielgottt@users.noreply.github.com> Date: Tue, 19 Jul 2022 13:08:56 -0400 Subject: [PATCH 1/7] Create Mofcomp.yml Create lolbas yml entry for the Windows binary "mofcomp.exe". This relates to issue #137 --- yml/OSBinaries/Mofcomp.yml | 40 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 yml/OSBinaries/Mofcomp.yml diff --git a/yml/OSBinaries/Mofcomp.yml b/yml/OSBinaries/Mofcomp.yml new file mode 100644 index 000000000..51b736620 --- /dev/null +++ b/yml/OSBinaries/Mofcomp.yml @@ -0,0 +1,40 @@ +--- +Name: Mofcomp.exe +Description: A compiler that parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. +Created: 2022-07-19 +Commands: + - Command: mofcomp.exe C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\xitmf + Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository + Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository + Category: Execution and Persistence + Privileges: User + MitreID: T1047 & T1546.003 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above +Commands: + - Command: mofcomp.exe C:\Programdata\x.mof + Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository + Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository + Category: Execution and Persistence + Privileges: User + MitreID: T1047 & T1546.003 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above +Full_Path: + - Path: c:\windows\system32\mofcomp.exe + - Path: c:\windows\syswow64\mofcomp.exe +Code_Sample: + - Code: +Detection: + - IOC: Strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe + - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml + - Sigma: https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml +Resources: + - Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp + - Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof- + - Link: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ +Acknowledgement: + - Person: Daniel Gott + Handle: '@gott_cyber' + - Person: The DFIR Report + Handle: '@TheDFIRReport' + - Person: Nasreddine Bencherchali + Handle: '@nas_bench' From 9814c950c837c683aca835abced7979a7935f590 Mon Sep 17 00:00:00 2001 From: Daniel Gott <47673777+danielgottt@users.noreply.github.com> Date: Tue, 19 Jul 2022 13:13:39 -0400 Subject: [PATCH 2/7] Update Mofcomp.yml Added additional resources for detection via PowerShell etc --- yml/OSBinaries/Mofcomp.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/yml/OSBinaries/Mofcomp.yml b/yml/OSBinaries/Mofcomp.yml index 51b736620..5dc292847 100644 --- a/yml/OSBinaries/Mofcomp.yml +++ b/yml/OSBinaries/Mofcomp.yml @@ -31,6 +31,8 @@ Resources: - Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp - Link: https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format--mof- - Link: https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ + - Link: https://in.security/2019/04/03/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/ + - Link: https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96 Acknowledgement: - Person: Daniel Gott Handle: '@gott_cyber' From 2d95c1a9d44031cc12c0ad9ab1a798b429304179 Mon Sep 17 00:00:00 2001 From: Daniel Gott <47673777+danielgottt@users.noreply.github.com> Date: Tue, 19 Jul 2022 18:21:55 -0400 Subject: [PATCH 3/7] update Mofcomp.yml Correction to path's --- yml/OSBinaries/Mofcomp.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/yml/OSBinaries/Mofcomp.yml b/yml/OSBinaries/Mofcomp.yml index 5dc292847..50205034e 100644 --- a/yml/OSBinaries/Mofcomp.yml +++ b/yml/OSBinaries/Mofcomp.yml @@ -1,6 +1,7 @@ --- -Name: Mofcomp.exe -Description: A compiler that parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. +Name: mofcomp.exe +Description: Compiler that parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Threat actors can leverage this binary to install malicious MOF scripts +Author: Daniel Gott Created: 2022-07-19 Commands: - Command: mofcomp.exe C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\xitmf @@ -19,12 +20,12 @@ Commands: MitreID: T1047 & T1546.003 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above Full_Path: - - Path: c:\windows\system32\mofcomp.exe - - Path: c:\windows\syswow64\mofcomp.exe + - Path: C:\Windows\System32\wbem\mofcomp.exe + - Path: C:\Windows\SysWOW64\wbem\mofcomp.exe Code_Sample: - Code: Detection: - - IOC: Strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe + - IOC: strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml - Sigma: https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml Resources: From dc1bdf0ff960b5e0073f4b2b41475233a42beb9d Mon Sep 17 00:00:00 2001 From: Wietze Date: Sat, 5 Aug 2023 19:14:22 +0100 Subject: [PATCH 4/7] Minor changes to invoke CI checks --- yml/OSBinaries/Mofcomp.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/yml/OSBinaries/Mofcomp.yml b/yml/OSBinaries/Mofcomp.yml index 50205034e..d8d510ad6 100644 --- a/yml/OSBinaries/Mofcomp.yml +++ b/yml/OSBinaries/Mofcomp.yml @@ -9,21 +9,19 @@ Commands: Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository Category: Execution and Persistence Privileges: User - MitreID: T1047 & T1546.003 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above + MitreID: T1047 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above Commands: - Command: mofcomp.exe C:\Programdata\x.mof Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository Category: Execution and Persistence Privileges: User - MitreID: T1047 & T1546.003 - OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 & Windows Server 2008 and above + MitreID: T1047 + OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above Full_Path: - Path: C:\Windows\System32\wbem\mofcomp.exe - Path: C:\Windows\SysWOW64\wbem\mofcomp.exe -Code_Sample: - - Code: Detection: - IOC: strange parent processes spawning mofcomp.exe like cmd.exe or powershell.exe - Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml From 81688557d0aed1d6444796ff311328932356648d Mon Sep 17 00:00:00 2001 From: Conor Richard Date: Fri, 6 Oct 2023 21:58:12 -0400 Subject: [PATCH 5/7] Update Mofcomp.yml Correcting YAML errors --- yml/OSBinaries/Mofcomp.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/yml/OSBinaries/Mofcomp.yml b/yml/OSBinaries/Mofcomp.yml index d8d510ad6..dfa7e0452 100644 --- a/yml/OSBinaries/Mofcomp.yml +++ b/yml/OSBinaries/Mofcomp.yml @@ -9,9 +9,8 @@ Commands: Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository Category: Execution and Persistence Privileges: User - MitreID: T1047 + MitreID: T1047 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above -Commands: - Command: mofcomp.exe C:\Programdata\x.mof Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository From bc58497c1a1d31a566daf9e0afff5dfa4b722ca4 Mon Sep 17 00:00:00 2001 From: Conor Richard Date: Fri, 6 Oct 2023 22:01:49 -0400 Subject: [PATCH 6/7] Update Mofcomp.yml Fixing more YAML errors --- yml/OSBinaries/Mofcomp.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Mofcomp.yml b/yml/OSBinaries/Mofcomp.yml index dfa7e0452..db61e8378 100644 --- a/yml/OSBinaries/Mofcomp.yml +++ b/yml/OSBinaries/Mofcomp.yml @@ -7,14 +7,14 @@ Commands: - Command: mofcomp.exe C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\xitmf Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository - Category: Execution and Persistence + Category: Execution Privileges: User MitreID: T1047 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above - Command: mofcomp.exe C:\Programdata\x.mof Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository - Category: Execution and Persistence + Category: Execution Privileges: User MitreID: T1047 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above From d2eb56d9b7604eaaecf247b9a84da067afd2e503 Mon Sep 17 00:00:00 2001 From: Conor Richard Date: Fri, 6 Oct 2023 22:04:06 -0400 Subject: [PATCH 7/7] Update Mofcomp.yml YAML Syntax --- yml/OSBinaries/Mofcomp.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/yml/OSBinaries/Mofcomp.yml b/yml/OSBinaries/Mofcomp.yml index db61e8378..c2b2a1b42 100644 --- a/yml/OSBinaries/Mofcomp.yml +++ b/yml/OSBinaries/Mofcomp.yml @@ -7,14 +7,14 @@ Commands: - Command: mofcomp.exe C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\xitmf Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository - Category: Execution + Category: Execute Privileges: User MitreID: T1047 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above - Command: mofcomp.exe C:\Programdata\x.mof Description: Abuse of mofcomp.exe to parse a file which contains MOF statements in order create new classes as part of the WMI repository Usecase: Threat actors can use mofcomp.exe to decompile a BMOF binary and then register a malicious class in the WMI repository - Category: Execution + Category: Execute Privileges: User MitreID: T1047 OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11 & Windows Server 2008 and above