Uncommon Managed Object Format (MOF) compiler usage

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Hour

Required Data

  • Requires:
    • XDR Agent

Detection Modules

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003)

Severity

Informational

Description

The mofcomp.exe WMI MOF compiled is used to compile code into the WMI repository that in turn may enable attackers to run scheduled or triggered code from the context of a Microsoft signed binary.

Attacker's Goals

Run code via triggers from the context of the WMI executor.

Investigative actions

  • Verify if the executing process is suspicious.
  • Check if the MOF file being compiled has any malicious indicators within it.