TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Komari Red: The Monitoring Tool with a Built-in Reverse Shell

6 days ago · Read original ↗

ATT&CK techniques detected

18 predictions
T1003.002Security Account Manager
98%
“on disk, immediate self - delete. not a moment later, at 23 : 39 : 55 utc, system event id 7040 recorded remote registry transitioning from disabled to demand start - attributed via sid s - 1 - 5 - 21 -... - 1153, [ user 1 ] ’ s domain sid. by 23 : 40 : 02 utc, windows defender h…”
T1021.002SMB/Windows Admin Shares
95%
“134 [. ] 200 began accumulating in the workstation ' s security event log. remote registry and a defender save at 23 : 38 : 00 utc, remote registry lit up on [ redacted - wrkstn ] : 2026 - 04 - 16 23 : 37 : 00 utc svchost. exe - k localservice - p - s remoteregistry at 23 : 39 : …”
T1021.001Remote Desktop Protocol
88%
“23 : 44 : 08 utc by localsessionmanager event id 25 ( “ rdp session connected ” ) from the same 10. 212. 134 [. ] 200 source : 2026 - 04 - 16t 23 : 44 : 07. 331z microsoft - windows - terminalservices - remoteconnectionmanager / 1149 computer : [ redacted - wrkstn ]. [ redacted ]…”
T1021.001Remote Desktop Protocol
84%
“3389. - the " net stop termservice / y " and " net start termservice " pair, bouncing the terminal services stack so the registry and firewall changes take effect cleanly. put together, this is a textbook hands - on - keyboard rdp enablement kit — the kind of thing we see as a pr…”
T1543.003Windows Service
78%
“monitoring - " are the hosts i care about reachable? " for a threat actor with a fleet of compromised hosts each running an agent, it is a distributed reconnaissance : tcp pings on arbitrary ports are a port scanner, http pings against arbitrary urls are a web probe, and every pr…”
T1572Protocol Tunneling
70%
“at 23 : 23 : 33 utc, a new sslvpn session came up from remote ip 45. 153. 34 [. ] 132 and authenticated as [ user 1 ] : figure 2 : fortigate sslvpn session establishment for [ user 1 ] from 45. 153. 34 [. ] 132 note : the fortigate timestamps are local - 0500 ; add 5 hours to the…”
T1059.001PowerShell
67%
“service entry in the registry shows the full shape of the wrapper ( preserved verbatim from the workstation ’ s forensic triage ) : figure 10 : the " windows update service " registry parameters key as pulled forensically from the workstation, showing the komari agent configurati…”
T1003.002Security Account Manager
65%
“temp \ arhrnnhi. tmp, matches the size profile of a compressed registry hive extract. although defender successfully quarantined the staging file, the threat actor had already escalated to system on the endpoint ; the malicious action that produced the dump had already completed.…”
T1078Valid Accounts
62%
“, the suspicious github iwr download, and new persistence via the windows update service with nssm. exe as the registered binary — was triaged as a high - severity incident within the soc. analysts immediately : - isolated the affected workstation ( [ redacted - wrkstn ] ) on det…”
T1133External Remote Services
61%
“at 23 : 23 : 33 utc, a new sslvpn session came up from remote ip 45. 153. 34 [. ] 132 and authenticated as [ user 1 ] : figure 2 : fortigate sslvpn session establishment for [ user 1 ] from 45. 153. 34 [. ] 132 note : the fortigate timestamps are local - 0500 ; add 5 hours to the…”
T1195.002Compromise Software Supply Chain
60%
“, the suspicious github iwr download, and new persistence via the windows update service with nssm. exe as the registered binary — was triaged as a high - severity incident within the soc. analysts immediately : - isolated the affected workstation ( [ redacted - wrkstn ] ) on det…”
T1021.001Remote Desktop Protocol
55%
“, the suspicious github iwr download, and new persistence via the windows update service with nssm. exe as the registered binary — was triaged as a high - severity incident within the soc. analysts immediately : - isolated the affected workstation ( [ redacted - wrkstn ] ) on det…”
T1021.002SMB/Windows Admin Shares
48%
“temp \ arhrnnhi. tmp, matches the size profile of a compressed registry hive extract. although defender successfully quarantined the staging file, the threat actor had already escalated to system on the endpoint ; the malicious action that produced the dump had already completed.…”
T1569.002Service Execution
36%
“134 [. ] 200 began accumulating in the workstation ' s security event log. remote registry and a defender save at 23 : 38 : 00 utc, remote registry lit up on [ redacted - wrkstn ] : 2026 - 04 - 16 23 : 37 : 00 utc svchost. exe - k localservice - p - s remoteregistry at 23 : 39 : …”
T1505.004IIS Components
34%
“, the suspicious github iwr download, and new persistence via the windows update service with nssm. exe as the registered binary — was triaged as a high - severity incident within the soc. analysts immediately : - isolated the affected workstation ( [ redacted - wrkstn ] ) on det…”
T1572Protocol Tunneling
33%
“filenames ( scnrmuvt, bpzrqola, hbbjlmcw, plyhzsec ), together with the matching _ idhlsdpd suffix on the _ _ output pipe, are the giveaway — this is most likely smbexec. py ' s randomstring ( ) at work. vanilla impacket ships with a static service name of btobto and a plain _ _ …”
T1204.002Malicious File
32%
“##p session : cmd. exe, spawned by explorer. exe and parented by the [ user 1 ] userinit. exe. no more smbexec. py service installs. no more output redirection to \ \ c $ \ _ _ output _.... the attacker was now typing at a prompt. typing at the prompt : the install at 23 : 45 : 0…”
T1219Remote Access Tools
31%
“, the suspicious github iwr download, and new persistence via the windows update service with nssm. exe as the registered binary — was triaged as a high - severity incident within the soc. analysts immediately : - isolated the affected workstation ( [ redacted - wrkstn ] ) on det…”

Summary

Huntress found threat actors using the Komari monitoring agent as a SYSTEM-level backdoor. Learn how they abused GitHub and what defenders should hunt for.