security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0cbbae4f83fe320e299d2f318413686972df7606
sigma-rules/rules/windows/execution_mofcomp.toml
T
Jonhnathan 7b655759ab [Rule Tuning] 3rd Party EDR Compatibility - 10 (#4035) 
* [Rule Tuning] 3rd Party EDR Compatibility - 10

* min_stack for merge, bump updated_date
2024-10-11 15:58:37 -03:00

81 lines
2.2 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2023/08/23"
integration = ["endpoint", "m365_defender", "system"]
maturity = "production"
updated_date = "2024/10/10"
[rule]
author = ["Elastic"]
description = """
Managed Object Format (MOF) files can be compiled locally or remotely through mofcomp.exe. Attackers may leverage MOF
files to build their own namespaces and classes into the Windows Management Instrumentation (WMI) repository, or
establish persistence using WMI Event Subscription.
"""
from = "now-9m"
index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security-*"]
language = "eql"
license = "Elastic License v2"
name = "Mofcomp Activity"
risk_score = 21
rule_id = "210d4430-b371-470e-b879-80b7182aa75e"
severity = "low"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Execution",
"Data Source: Elastic Defend",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: Elastic Endgame",
"Data Source: System",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "windows" and event.type == "start" and
process.name : "mofcomp.exe" and process.args : "*.mof" and
not user.id : "S-1-5-18" and
not
(
process.parent.name : "ScenarioEngine.exe" and
process.args : (
"*\\MSSQL\\Binn\\*.mof",
"*\\Microsoft SQL Server\\???\\Shared\\*.mof",
"*\\OLAP\\bin\\*.mof"
)
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1047"
name = "Windows Management Instrumentation"
reference = "https://attack.mitre.org/techniques/T1047/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.003"
name = "Windows Management Instrumentation Event Subscription"
reference = "https://attack.mitre.org/techniques/T1546/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink