Rule Category


Alert Message

MALWARE-TOOLS Win.Tool.RemComSvc download attempt

Rule Explanation

This rule looks for strings associated with a PUA that could potentially inject into other applications or spawn a reverse shell.

What To Look For

This rule alerts when a binary containing RemComSvc is downloaded.

Known Usage

Attacks/Scans seen in the wild

False Positives

Known false positives, with the described conditions

This rule has the potential to trigger on benign use of the RemComSvc binary. The RemComSvc binary is not inherently malicious. Although, it is commonly used by threat actors to inject into other processes and delve deeper into the network. A common false positive would be its usage in the ManageEngine software suite.


Cisco Talos Intelligence Group

Rule Groups

No rule groups



Additional Links

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.