Potential Suspicious Mofcomp Execution
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Potential Suspicious Mofcomp Execution | Standard | Windows | Defense Evasion: System Binary Proxy Execution (T1218) | Critical |
About the rule
Rule Type
Standard
Rule Description
The mofcomp.exe utility is a legitimate Windows tool used to compile Managed Object Format (MOF) files, which define Windows Management Instrumentation (WMI) classes. However, attackers can abuse mofcomp.exe to register malicious WMI classes or event consumers that enable persistence, lateral movement, or surveillance capabilities. This detection identifies instances where mofcomp.exe is executed in a suspicious manner indicating potential misuse for stealthy persistence or privilege escalation.
Severity
Trouble
Rule journey
Attack chain scenario
Initial Access → Privilege Escalation → Persistence → Execution → Defense Evasion
Impact
- Privilege abuse
- Defense evasion
- Execution of malicious payloads
- Persistence and stealth
Rule Requirement
Prerequisites
Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.
Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.
Criteria
Action1: actionname = "Process started" AND ((PROCESSNAME endswith "\mofcomp.exe" OR ORIGINALFILENAME = "mofcomp.exe") AND (PARENTPROCESSNAME endswith "\cmd.exe,\powershell.exe,\pwsh.exe,\wsl.exe,\wscript.exe,\cscript.exe" OR COMMANDLINE contains "\AppData\Local\Temp,\Users\Public\,\WINDOWS\Temp\,%temp%,%tmp%,%appdata%")) AND (PARENTPROCESSNAME != "C:\Windows\System32\wbem\WmiPrvSE.exe" OR COMMANDLINE notcontains "C:\Windows\TEMP" OR COMMANDLINE notendswith ".mof") AND (COMMANDLINE notcontains "C:\Windows\TEMP" OR COMMANDLINE notendswith ".mof") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: System Binary Proxy Execution (T1218)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events
This rule detects execution of mofcomp.exe, which is commonly abused to register WMI event consumers for persistence or stealthy code execution.
Author
Nasreddine Bencherchali (Nextron Systems)
Future actions
Known False Positives
Automated scripts or software installers that register WMI components as part of their setup or operation.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Review the command-line arguments used with mofcomp.exe, especially for unusual .mof file paths or content.
- Analysis: Examine recent file system changes involving .mof files, correlate with Windows Event Logs and WMI logs for suspicious WMI provider registration.
- Response: Isolate the endpoint, remove unauthorized WMI classes or providers and review WMI repository integrity and restore from backup if tampering is detected.
- Restrict LSASS Access: Enable Windows Defender Credential Guard to block unprivileged access to LSASS memory.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1042 | Many native binaries may not be necessary within a given environment. | |
M1038 | Use application control to prevent the execution of binaries that are susceptible to abuse and not required for a given system or network. | |
M1050 | Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can help block methods that use trusted binaries to bypass application control. | |
M1037 | Utilize network appliances to filter incoming and outgoing traffic and perform protocol-based filtering. Also, configure software on endpoints to filter network traffic. | |
M1026 | Restrict the execution of particularly vulnerable binaries to only those privileged accounts or groups that absolutely require them, thereby reducing opportunities for malicious use. | |
M1021 | Restrict the execution of particularly vulnerable binaries to only those privileged accounts or groups that absolutely require them, thereby reducing opportunities for malicious use. |
