Detectionhightest

Potential Suspicious Mofcomp Execution

Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a suspicious path in the commandline. The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. Attackers abuse this utility to install malicious MOF scripts

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Tue Jul 12Updated Tue Apr 111dd05363-104e-4b4a-b963-196a534b03a1windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\mofcomp.exe'
        - OriginalFileName: 'mofcomp.exe'
    selection_case:
        - ParentImage|endswith:
              - '\cmd.exe'
              - '\powershell.exe'
              - '\pwsh.exe'
              - '\wsl.exe'
              - '\wscript.exe'
              - '\cscript.exe'
        - CommandLine|contains:
              - '\AppData\Local\Temp'
              - '\Users\Public\'
              - '\WINDOWS\Temp\'
              - '%temp%'
              - '%tmp%'
              - '%appdata%'
    filter_main_wmiprvse:
        ParentImage: 'C:\Windows\System32\wbem\WmiPrvSE.exe'
        CommandLine|contains: 'C:\Windows\TEMP\'
        CommandLine|endswith: '.mof'
    filter_optional_null_parent:
        # Sometimes the parent information isn't available from the Microsoft-Windows-Security-Auditing provider.
        CommandLine|contains: 'C:\Windows\TEMP\'
        CommandLine|endswith: '.mof'
    condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*