Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Hour |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003) |
Severity |
Informational |
Description
The mofcomp.exe WMI MOF compiled is used to compile code into the WMI repository that in turn may enable attackers to run scheduled or triggered code from the context of a Microsoft signed binary.
Attacker's Goals
Run code via triggers from the context of the WMI executor.
Investigative actions
- Verify if the executing process is suspicious.
- Check if the MOF file being compiled has any malicious indicators within it.