Managed object format (MOF) is the language used to describe CIM (Common Information Model) classes. A MOF file typically contains statements. classes and class instances which are added to the WMI repository (OBJECTS.DATA) when the file is compiled (mofcomp.exe can compile MOF files and it is part of Windows). The contents of a MOF file are demonstrated below:
Standards to creating a Vbscript Classes Repository
Another place where DP can be of significant importance is when you are creating functions in an external file. You can use these function in various actions directly , eliminating the need of adding object(s) in object repository for each action. [If you use local object repository]. This forms the basis of keyword driven framework approach.
WMI permanent event subscription can remedy all these problems. It doesn't depend on a running process (save for svchost.exe that hosts the Winmgmt service). To interrupt it, you need knowledge of WMI, so it is not easy to stop it accidentally, and you can cancel it anytime, without having to restart the Winmgmt service. In its basis, permanent event subscription is a set of static WMI classes stored in a CIM repository. Of course, you can use VBScript or the .NET Framework System.Management classes to create these instances and set up a permanent event subscription, but the easiest way is (at least in my opinion) to use MOF. Here is a sample MOF that you can use as a template for creating permanent event subscriptions:
Guillaume FinanceVISEO (Sparx EA Expert, OMG OCSMP Model User certified) Modelling consultant and expert on Sparx Systems Enterprise Architect modelling tool and solution, I'm helping clients with the model-based approach using standards for a number of contexts including:- Software analysis, design and architecture with UML.- Systems Engineering and MBSE with SysML.- Enterprise Architecture, IT landscape with UML or ArchiMate.- Business processes with BPMN.My other activities include:- Defining and maintaining the model repository including requirements, analysis and design for software projects.- Remote support and expertise on Sparx Enterprise Architect modelling.- Running training sessions on UML or SysML with Sparx Systems Enterprise Architect.- Installation and configuration of Prolaborate web solution for Sparx EA. I publish articles and news about modelling languages and Enterprise Architect on my blog www.umlchannel.com, I maintain eaUtils free addin: www.eautils.com, and I participate in the European EA User Group events www.eausergroup.com. Contact details: guillaume[at]umlchannel.com
Contrary to their categorization as "fileless malware", WMI attacks can leave behind file system artifacts. The files representing the WMI repository can be analyzed for modifications, including offline analysis to easily detect malicious WMI Event Consumers. MOF files are a common way to introduce malicious classes into the WMI repository. What exactly is a MOF file? Think of it as a text file representing WMI class definitions and instances. Definitions in the WMI repository are initially defined in MOF files. They can also be used to extend WMI (which is how attackers use them). Sadly, a MOF file can be named anything, be located anywhere, and even deleted after it is introduced into the WMI repository. But every attack is different, and evil MOF files are still found on compromised systems. If you aren't so lucky, copies may be left behind in the C:\Windows\System32\wbem\AutoRecover folder, or referenced in the HKLM\SOFTWARE\Microsoft\Wbem\CIMOM registry key. Of course, PowerShell can be used in lieu of MOF files, but that opens up an entirely separate set of possible detections like the PowerShell Operational event log or transcript logging. What we are aiming for is layered detection.
Contrary to their categorization as "fileless malware", WMI attacks can leave behind file system artifacts. The files representing the WMI repository can be analyzed for modifications, including offline analysis to easily detect malicious WMI Event Consumers. MOF files are a common way to introduce malicious classes into the WMI repository. What exactly is a MOF file? Think of it as a text file representing WMI class definitions and instances. Definitions in the WMI repository are initially defined in MOF files. They can also be used to extend WMI (which is how attackers use them). Sadly, a MOF file can be named anything, be located anywhere, and even deleted after it is introduced into the WMI repository. But every attack is different, and evil MOF files are still found on compromised systems. If you aren\'t so lucky, copies may be left behind in the C:\\Windows\\System32\\wbem\\AutoRecover folder, or referenced in the HKLM\\SOFTWARE\\Microsoft\\Wbem\\CIMOM registry key. Of course, PowerShell can be used in lieu of MOF files, but that opens up an entirely separate set of possible detections like the PowerShell Operational event log or transcript logging. What we are aiming for is layered detection.
The first step in developing your own WMI provider is to come up with a data model to represent your managed system resource or object. This object or resource is exposed to consumers by your provider through WMI. The data model should include the properties and methods for your object. The implementation of this model is done using an MOF file. This file contains the class definition representing each object in your data model. The registration of the provider and its classes are included in this MOF file. This MOF file can be compiled using MOFcomp.exe to detect errors and add the provider/class to the WMI repository. .NET helps take care of this step behind the scenes. To create a WMI provider using .NET, you just need to design and implement a .NET class using some specific attributes. So, first we start with a simple .NET class, leaving the special WMI attributes until a little later.
You can access and modify any PowerDesigner object and its properties by script. Objects include not only standard design objects (such as tables, classes, processes, and columns), but also diagrams and symbols and functional objects (such as a report or repository). An object belongs to a metaclass of the PowerDesigner metamodel and inherits properties, collections and methods from its metaclass. 2ff7e9595c