Skip to content
.ca
sign in
6 minhigh

Komari: The “Monitoring” Tool That Didn't Need Weaponising

A threat actor utilized compromised VPN credentials to access a partner network, pivoting via a customized Impacket smbexec.py to enable RDP and establish an interactive session. The attacker then installed the open-source monitoring tool Komari directly from GitHub, leveraging its native WebSocket capabilities as a persistent, SYSTEM-level command-and-control (C2) backdoor disguised as the Windows Update Service.

Sens:24hConf:highAnalyzed:2026-05-01reports

Authors: Huntress

ActorsUnknown commodity operator
KomariRMM AbuseC2smbexecLiving off the Land

Source:Huntress

IOCs · 6

Detection / Hunter

What Happened

A cyber attacker gained access to a company's network using stolen VPN login details. Once inside, they secretly changed computer settings to allow remote desktop access, giving them direct control over a workstation. They then installed a legitimate, free monitoring tool called Komari, which they used as a hidden backdoor to maintain permanent control over the system. This shows how hackers are increasingly using normal administrative tools against organizations, making their attacks harder to spot. Companies should ensure they use multi-factor authentication for all remote access and monitor for unusual software installations.

Key Takeaways

  • Threat actors are abusing the open-source monitoring tool Komari as a fully functional C2 framework without needing to weaponize it.
  • Initial access was achieved via compromised VPN credentials, followed by lateral movement using a customized Impacket smbexec.py.
  • The attacker enabled RDP via registry and firewall modifications to establish an interactive session.
  • Komari was installed directly from its official GitHub repository and registered as a persistent SYSTEM service using NSSM.
  • Komari provides built-in arbitrary command execution, interactive reverse shells, and network probing over WebSockets.

Affected Systems

  • Windows Workstations
  • FortiGate VPN

Attack Chain

The attacker gained initial access using compromised credentials via a FortiGate SSLVPN. They utilized a customized Impacket smbexec.py to execute commands remotely, attempting to dump registry hives and successfully modifying registry and firewall settings to enable RDP. After establishing an interactive RDP session, the attacker downloaded and installed the Komari monitoring agent directly from GitHub. The agent was registered as a persistent SYSTEM service using NSSM, establishing a WebSocket-based C2 channel for arbitrary command execution and interactive shell access.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article provides specific IOCs and behavioral hunting concepts (such as identifying long-lived WebSockets spawning shells) but does not include ready-to-use detection rules.

Detection Engineering Assessment

EDR Visibility: High — EDR can easily capture the smbexec service creation, registry modifications for RDP, NSSM service installation, and the parent-child process relationship of komari-agent.exe spawning PowerShell. Network Visibility: Medium — The C2 traffic uses WebSockets over TLS (HTTPS), blending in with normal web traffic, though the default port 25774 might be visible if not reverse-proxied. Detection Difficulty: Moderate — While the specific tools (NSSM, Komari) and techniques (smbexec, RDP enablement) are noisy and well-documented, the C2 channel itself mimics legitimate administrative monitoring, requiring behavioral analysis of process ancestry.

Required Log Sources

  • Windows Event Log (Security)
  • Sysmon Event ID 1 (Process Creation)
  • Sysmon Event ID 3 (Network Connection)
  • Sysmon Event ID 12/13 (Registry Event)
  • VPN Authentication Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for instances of nssm.exe installing services with deceptive names like 'Windows Update Service' or pointing to unusual binaries in System32.Process Creation (Event ID 4688 / Sysmon EID 1), System Service Installation (Event ID 4697 / 7045)PersistenceLow
Search for processes maintaining long-lived outbound WebSockets that periodically spawn interactive shells (cmd.exe, powershell.exe) without user interaction.Network Connections (Sysmon EID 3), Process Creation (Sysmon EID 1)Command and ControlMedium
Identify sequences of commands executed in rapid succession to enable RDP, such as modifying fDenyTSConnections followed by netsh firewall changes and restarting termservice.Process Creation (Event ID 4688 / Sysmon EID 1), Registry Modifications (Sysmon EID 12/13)Defense EvasionLow

Control Gaps

  • Lack of MFA on VPN access
  • Permissive outbound HTTPS filtering allowing connections to arbitrary unclassified IPs

Key Behavioral Indicators

  • smbexec.py randomized batch file execution pattern (e.g., _output...) via services.exe
  • komari-agent.exe spawning powershell.exe as a child process
  • Registry hive dumping artifacts in C:\Windows\Temp\

False Positive Assessment

  • Medium

Recommendations

Immediate Mitigation

  • Isolate affected workstations.
  • Disable compromised user accounts in Active Directory.
  • Block the identified malicious IPs and domains at the perimeter.

Infrastructure Hardening

  • Enforce Multi-Factor Authentication (MFA) on all external remote services, including VPNs.
  • Restrict inbound SMB and RPC traffic between workstations to prevent lateral movement.
  • Implement strict outbound network filtering to block default C2 ports (e.g., 25774) and unclassified domains.

User Protection

  • Deploy and configure EDR solutions to monitor for suspicious service creation and registry modifications.
  • Restrict local administrator privileges to prevent unauthorized service installation.

Security Awareness

  • Educate SOC analysts on the abuse of legitimate open-source monitoring and RMM tools for C2 purposes.

MITRE ATT&CK Mapping

  • T1078.002 - Valid Accounts: Domain Accounts
  • T1133 - External Remote Services
  • T1569.002 - System Services: Service Execution
  • T1003.002 - OS Credential Dumping: Security Account Manager
  • T1112 - Modify Registry
  • T1562.004 - Impair Defenses: Disable or Modify System Firewall
  • T1021.001 - Remote Services: Remote Desktop Protocol
  • T1543.003 - Create or Modify System Process: Windows Service
  • T1071.001 - Application Layer Protocol: Web Protocols
  • T1219 - Remote Access Software

Additional IOCs

  • Ips:
    • 10[.]212[.]134[.]200 - FortiGate-assigned SSLVPN tunnel IP used by the attacker.
  • Domains:
    • raw[.]githubusercontent[.]com - Domain abused to host and deliver the Komari installation script.
  • File Hashes:
    • 039e659ade3aa8ee7758c11fdb8fbfffd2491920046d638413cea2042f6d584c (SHA256) - komari-agent.exe
  • Registry Keys:
    • HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections - Registry key modified to 0 to enable RDP connections.
  • File Paths:
    • C:\Windows\Temp\aRhRnnHI.tmp - Artifact dropped during registry hive dumping (RegDump.SA).
    • C:\Windows\System32\nssm.exe - Non-Sucking Service Manager used to install the Komari agent as a service.
  • Command Lines:
    • Purpose: Enable RDP connections by modifying the registry | Tools: reg.exe, cmd.exe | Stage: Defense Evasion
    • Purpose: Allow RDP traffic through the Windows Firewall | Tools: netsh.exe, cmd.exe | Stage: Defense Evasion
    • Purpose: Restart Terminal Services to apply RDP configuration changes | Tools: net.exe, cmd.exe | Stage: Defense Evasion | net stop termservice /y
    • Purpose: Install the Komari agent as a persistent Windows service | Tools: nssm.exe | Stage: Persistence | nssm.exe install "Windows Update Service"
  • Other:
    • VM8514 - Attacker-controlled workstation name observed in Event ID 4624.
    • vomtLDXyggveYfjFxdoo7Z - Komari authentication bearer token used in the attack.
    • TCP/25774 - Default Komari server port.

Related