diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv
index fb221a7b..fd432b80 100644
--- a/atomics/Indexes/Indexes-CSV/index.csv
+++ b/atomics/Indexes/Indexes-CSV/index.csv
@@ -496,6 +496,7 @@ privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client imp
privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
+privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
privilege-escalation,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
@@ -716,6 +717,7 @@ persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijack
persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
persistence,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
+persistence,T1546.003,Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv
index fa7f9e10..a60044ab 100644
--- a/atomics/Indexes/Indexes-CSV/windows-index.csv
+++ b/atomics/Indexes/Indexes-CSV/windows-index.csv
@@ -369,6 +369,7 @@ privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client imp
privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
+privilege-escalation,T1546.003,Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
privilege-escalation,T1134.004,Parent PID Spoofing,2,Parent PID Spoofing - Spawn from Current Process,14920ebd-1d61-491a-85e0-fe98efe37f25,powershell
privilege-escalation,T1134.004,Parent PID Spoofing,3,Parent PID Spoofing - Spawn from Specified Process,cbbff285-9051-444a-9d17-c07cd2d230eb,powershell
@@ -528,6 +529,7 @@ persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerSh
persistence,T1546.009,AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
persistence,T1546.003,Windows Management Instrumentation Event Subscription,1,Persistence via WMI Event Subscription - CommandLineEventConsumer,3c64f177-28e2-49eb-a799-d767b24dd1e0,powershell
persistence,T1546.003,Windows Management Instrumentation Event Subscription,2,Persistence via WMI Event Subscription - ActiveScriptEventConsumer,fecd0dfd-fb55-45fa-a10b-6250272d0832,powershell
+persistence,T1546.003,Windows Management Instrumentation Event Subscription,3,Windows MOFComp.exe Load MOF File,29786d7e-8916-4de6-9c55-be7b093b2706,powershell
persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
persistence,T1547.001,Registry Run Keys / Startup Folder,1,Reg Key Run,e55be3fd-3521-4610-9d1a-e210e42dcf05,command_prompt
persistence,T1547.001,Registry Run Keys / Startup Folder,2,Reg Key RunOnce,554cbd88-cde1-4b56-8168-0be552eed9eb,command_prompt
diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md
index e765b3eb..91c33b47 100644
--- a/atomics/Indexes/Indexes-Markdown/index.md
+++ b/atomics/Indexes/Indexes-Markdown/index.md
@@ -784,6 +784,7 @@
- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
- Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
+ - Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
@@ -1216,6 +1217,7 @@
- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
- Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
+ - Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
- T1060 Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1023 Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md
index 63442665..030d9e4b 100644
--- a/atomics/Indexes/Indexes-Markdown/windows-index.md
+++ b/atomics/Indexes/Indexes-Markdown/windows-index.md
@@ -590,6 +590,7 @@
- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
- Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
+ - Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
- [T1134.004 Parent PID Spoofing](../../T1134.004/T1134.004.md)
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
@@ -894,6 +895,7 @@
- [T1546.003 Windows Management Instrumentation Event Subscription](../../T1546.003/T1546.003.md)
- Atomic Test #1: Persistence via WMI Event Subscription - CommandLineEventConsumer [windows]
- Atomic Test #2: Persistence via WMI Event Subscription - ActiveScriptEventConsumer [windows]
+ - Atomic Test #3: Windows MOFComp.exe Load MOF File [windows]
- T1060 Registry Run Keys / Startup Folder [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1023 Shortcut Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml
index 027e3f2f..6ec86c4a 100644
--- a/atomics/Indexes/index.yaml
+++ b/atomics/Indexes/index.yaml
@@ -34051,6 +34051,48 @@ privilege-escalation:
$EventFilterToCleanup | Remove-WmiObject
name: powershell
elevation_required: true
+ - name: Windows MOFComp.exe Load MOF File
+ auto_generated_guid: 29786d7e-8916-4de6-9c55-be7b093b2706
+ description: "The following Atomic will utilize MOFComp.exe to load a local
+ MOF file.\nThe Managed Object Format (MOF) compiler parses a file containing
+ MOF statements and adds the classes and class instances defined in the file
+ to the WMI repository. \nTo query for the class: gwmi __eventfilter -namespace
+ root\\subscription\nA successful execution will add the class to WMI root
+ namespace.\nReference: https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/
+ and https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/.\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ mofcomp_path:
+ description: Location of mofcomp.exe
+ type: String
+ default: c:\windows\system32\wbem\mofcomp.exe
+ mof_file:
+ description: Local location MOF file
+ type: String
+ default: PathToAtomicsFolder\T1546.003\src\T1546.003.mof
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'MofComp.exe must exist on disk at specified location (#{mofcomp_path})
+
+ '
+ prereq_command: 'if (Test-Path "#{mofcomp_path}") { exit 0} else { exit 1}
+
+ '
+ get_prereq_command: 'Validate MOFComp.exe is on disk somewhere and update
+ input argument.
+
+ '
+ executor:
+ command: "#{mofcomp_path} #{mof_file}\n"
+ cleanup_command: |
+ $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam_consumer'"
+ $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam_filter'"
+ $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
+ $FilterConsumerBindingToCleanup | Remove-WmiObject
+ $EventConsumerToCleanup | Remove-WmiObject
+ $EventFilterToCleanup | Remove-WmiObject
+ name: powershell
T1134.004:
technique:
x_mitre_platforms:
@@ -55563,6 +55605,48 @@ persistence:
$EventFilterToCleanup | Remove-WmiObject
name: powershell
elevation_required: true
+ - name: Windows MOFComp.exe Load MOF File
+ auto_generated_guid: 29786d7e-8916-4de6-9c55-be7b093b2706
+ description: "The following Atomic will utilize MOFComp.exe to load a local
+ MOF file.\nThe Managed Object Format (MOF) compiler parses a file containing
+ MOF statements and adds the classes and class instances defined in the file
+ to the WMI repository. \nTo query for the class: gwmi __eventfilter -namespace
+ root\\subscription\nA successful execution will add the class to WMI root
+ namespace.\nReference: https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/
+ and https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/.\n"
+ supported_platforms:
+ - windows
+ input_arguments:
+ mofcomp_path:
+ description: Location of mofcomp.exe
+ type: String
+ default: c:\windows\system32\wbem\mofcomp.exe
+ mof_file:
+ description: Local location MOF file
+ type: String
+ default: PathToAtomicsFolder\T1546.003\src\T1546.003.mof
+ dependency_executor_name: powershell
+ dependencies:
+ - description: 'MofComp.exe must exist on disk at specified location (#{mofcomp_path})
+
+ '
+ prereq_command: 'if (Test-Path "#{mofcomp_path}") { exit 0} else { exit 1}
+
+ '
+ get_prereq_command: 'Validate MOFComp.exe is on disk somewhere and update
+ input argument.
+
+ '
+ executor:
+ command: "#{mofcomp_path} #{mof_file}\n"
+ cleanup_command: |
+ $EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam_consumer'"
+ $EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam_filter'"
+ $FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
+ $FilterConsumerBindingToCleanup | Remove-WmiObject
+ $EventConsumerToCleanup | Remove-WmiObject
+ $EventFilterToCleanup | Remove-WmiObject
+ name: powershell
T1060:
technique:
x_mitre_platforms:
diff --git a/atomics/T1546.003/T1546.003.md b/atomics/T1546.003/T1546.003.md
index f0fc4787..498401c0 100644
--- a/atomics/T1546.003/T1546.003.md
+++ b/atomics/T1546.003/T1546.003.md
@@ -12,6 +12,8 @@ WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe
- [Atomic Test #2 - Persistence via WMI Event Subscription - ActiveScriptEventConsumer](#atomic-test-2---persistence-via-wmi-event-subscription---activescripteventconsumer)
+- [Atomic Test #3 - Windows MOFComp.exe Load MOF File](#atomic-test-3---windows-mofcompexe-load-mof-file)
+
@@ -130,4 +132,63 @@ $EventFilterToCleanup | Remove-WmiObject
+
+
+
+## Atomic Test #3 - Windows MOFComp.exe Load MOF File
+The following Atomic will utilize MOFComp.exe to load a local MOF file.
+The Managed Object Format (MOF) compiler parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository.
+To query for the class: gwmi __eventfilter -namespace root\subscription
+A successful execution will add the class to WMI root namespace.
+Reference: https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/ and https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 29786d7e-8916-4de6-9c55-be7b093b2706
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| mofcomp_path | Location of mofcomp.exe | String | c:\windows\system32\wbem\mofcomp.exe|
+| mof_file | Local location MOF file | String | PathToAtomicsFolder\T1546.003\src\T1546.003.mof|
+
+
+#### Attack Commands: Run with `powershell`!
+
+
+```powershell
+#{mofcomp_path} #{mof_file}
+```
+
+#### Cleanup Commands:
+```powershell
+$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter "Name = 'AtomicRedTeam_consumer'"
+$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter "Name = 'AtomicRedTeam_filter'"
+$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query "REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding" -ErrorAction SilentlyContinue
+$FilterConsumerBindingToCleanup | Remove-WmiObject
+$EventConsumerToCleanup | Remove-WmiObject
+$EventFilterToCleanup | Remove-WmiObject
+```
+
+
+
+#### Dependencies: Run with `powershell`!
+##### Description: MofComp.exe must exist on disk at specified location (#{mofcomp_path})
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{mofcomp_path}") { exit 0} else { exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+Validate MOFComp.exe is on disk somewhere and update input argument.
+```
+
+
+
+