Generated docs from job=generate-docs branch=master [ci skip]

atomics/Indexes/Indexes-CSV/index.csv

@@ -496,6 +496,7 @@ privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client imp
 privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
+privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
 privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 privilege-escalation,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
 privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
@@ -716,6 +717,7 @@ persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijack
 persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
 persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 persistence,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
+persistence,T1546.003,Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
 persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
 persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -369,6 +369,7 @@ privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client imp
 privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
+privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
 privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
 privilege-escalation,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
 privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
@@ -528,6 +529,7 @@ persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerSh
 persistence,T1546.009,AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
 persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
 persistence,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
+persistence,T1546.003,Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
 persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
 persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
 persistence,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -784,6 +784,7 @@
 - [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
   - Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
   - Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
+  - Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
 - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
   - Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
   - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
@@ -1216,6 +1217,7 @@
 - [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
   - Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
   - Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
+  - Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
 - T1060 Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1023 Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -590,6 +590,7 @@
 - [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
   - Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
   - Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
+  - Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
 - [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
   - Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
   - Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
@@ -894,6 +895,7 @@
 - [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
   - Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
   - Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
+  - Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
 - T1060 Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1023 Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)

atomics/Indexes/index.yaml

@@ -34051,6 +34051,48 @@ privilege-escalation:
           $EventFilterToCleanup | Remove-WmiObject
         name: powershell
         elevation_required: true
+    - name: Windows MOFComp.exe Load MOF File
+      auto_generated_guid: 29786d7e-8916-4de6-9c55-be7b093b2706
+      description: "The following Atomic will utilize MOFComp.exe to load a local
+        MOF file.\nThe Managed Object Format (MOF) compiler parses a file containing
+        MOF statements and adds the classes and class instances defined in the file
+        to the WMI repository. \nTo query for the class:  gwmi __eventfilter -namespace
+        root\\subscription\nA successful execution will add the class to WMI root
+        namespace.\nReference: https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/
+        and https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        mofcomp_path:
+          description: Location of mofcomp.exe
+          type: String
+          default: c:\windows\system32\wbem\mofcomp.exe
+        mof_file:
+          description: Local location MOF file
+          type: String
+          default: PathToAtomicsFolder\T1546.003\src\T1546.003.mof
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'MofComp.exe must exist on disk at specified location (#{mofcomp_path})
+
+          '
+        prereq_command: 'if (Test-Path "#{mofcomp_path}") { exit 0} else { exit 1}
+
+          '
+        get_prereq_command: 'Validate MOFComp.exe is on disk somewhere and update
+          input argument.
+
+          '
+      executor:
+        command: "#{mofcomp_path} #{mof_file}\n"
+        cleanup_command: |
+          $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam_consumer'"
+          $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam_filter'"
+          $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
+          $FilterConsumerBindingToCleanup | Remove-WmiObject
+          $EventConsumerToCleanup | Remove-WmiObject
+          $EventFilterToCleanup | Remove-WmiObject
+        name: powershell
   T1134.004:
     technique:
       x_mitre_platforms:
@@ -55563,6 +55605,48 @@ persistence:
           $EventFilterToCleanup | Remove-WmiObject
         name: powershell
         elevation_required: true
+    - name: Windows MOFComp.exe Load MOF File
+      auto_generated_guid: 29786d7e-8916-4de6-9c55-be7b093b2706
+      description: "The following Atomic will utilize MOFComp.exe to load a local
+        MOF file.\nThe Managed Object Format (MOF) compiler parses a file containing
+        MOF statements and adds the classes and class instances defined in the file
+        to the WMI repository. \nTo query for the class:  gwmi __eventfilter -namespace
+        root\\subscription\nA successful execution will add the class to WMI root
+        namespace.\nReference: https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/
+        and https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/.\n"
+      supported_platforms:
+      - windows
+      input_arguments:
+        mofcomp_path:
+          description: Location of mofcomp.exe
+          type: String
+          default: c:\windows\system32\wbem\mofcomp.exe
+        mof_file:
+          description: Local location MOF file
+          type: String
+          default: PathToAtomicsFolder\T1546.003\src\T1546.003.mof
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'MofComp.exe must exist on disk at specified location (#{mofcomp_path})
+
+          '
+        prereq_command: 'if (Test-Path "#{mofcomp_path}") { exit 0} else { exit 1}
+
+          '
+        get_prereq_command: 'Validate MOFComp.exe is on disk somewhere and update
+          input argument.
+
+          '
+      executor:
+        command: "#{mofcomp_path} #{mof_file}\n"
+        cleanup_command: |
+          $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam_consumer'"
+          $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam_filter'"
+          $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
+          $FilterConsumerBindingToCleanup | Remove-WmiObject
+          $EventConsumerToCleanup | Remove-WmiObject
+          $EventFilterToCleanup | Remove-WmiObject
+        name: powershell
   T1060:
     technique:
       x_mitre_platforms:

atomics/T1546.003/T1546.003.md

@@ -12,6 +12,8 @@ WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe
 
 - [Atomic Test #2 - Persistence via WMI Event Subscription - ActiveScriptEventConsumer](#atomic-test-2---persistence-via-wmi-event-subscription---activescripteventconsumer)
 
+- [Atomic Test #3 - Windows MOFComp.exe Load MOF File](#atomic-test-3---windows-mofcompexe-load-mof-file)
+
 
 <br/>
 
@@ -130,4 +132,63 @@ $EventFilterToCleanup | Remove-WmiObject
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #3 - Windows MOFComp.exe Load MOF File
+The following Atomic will utilize MOFComp.exe to load a local MOF file.
+The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. 
+To query for the class:  gwmi __eventfilter -namespace root\subscription
+A successful execution will add the class to WMI root namespace.
+Reference: https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/ and https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 29786d7e-8916-4de6-9c55-be7b093b2706
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| mofcomp_path | Location of mofcomp.exe | String | c:&#92;windows&#92;system32&#92;wbem&#92;mofcomp.exe|
+| mof_file | Local location MOF file | String | PathToAtomicsFolder&#92;T1546.003&#92;src&#92;T1546.003.mof|
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+#{mofcomp_path} #{mof_file}
+```
+
+#### Cleanup Commands:
+```powershell
+$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam_consumer'"
+$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam_filter'"
+$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
+$FilterConsumerBindingToCleanup | Remove-WmiObject
+$EventConsumerToCleanup | Remove-WmiObject
+$EventFilterToCleanup | Remove-WmiObject
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: MofComp.exe must exist on disk at specified location (#{mofcomp_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{mofcomp_path}") { exit 0} else { exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Validate MOFComp.exe is on disk somewhere and update input argument.
+```
+
+
+
+
 <br/>