SID 1:61891

Report a false positive

Rule Category

MALWARE-TOOLS --

Alert Message

MALWARE-TOOLS Win.Tool.RemComSvc download attempt

Rule Explanation

This rule looks for strings associated with a PUA that could potentially inject into other applications or spawn a reverse shell.

What To Look For

This rule alerts when a binary containing RemComSvc is downloaded.

Known Usage

Attacks/Scans seen in the wild

False Positives

Known false positives, with the described conditions

This rule has the potential to trigger on benign use of the RemComSvc binary. The RemComSvc binary is not inherently malicious. Although, it is commonly used by threat actors to inject into other processes and delve deeper into the network. A common false positive would be its usage in the ManageEngine software suite.

Contributors

Cisco Talos Intelligence Group

Rule Groups

No rule groups

CVE

None

Additional Links

cisa.gov/news-events/cybersecurity-advisories/aa23-025a
virustotal.com/gui/file/3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None