This is another short piece of the “Strictly Theoretical” mini series in which I put insensible historical incident management and suspicious behaviour patterns under the microscope reflecting on how the “inner” and “outer” world continuously interact with each other forming the everyday life of the production environment.
RemComSvc
RemCom is a free tool that provides remote management capabilities. It is included in various legitimate softwares and by default it sends RemComSvc.exe to a remote computer, which then uses the named pipe in the place of PsExec’s named pipe. This can be very confusing from a blue team prospective and may take some time to establish an appropriate baseline for alert levels, as the number of investigations could result in business disruptions if not handled correctly. For example, the following is just a remote software installation process that is usually completely legitimate to this business environment and circumstances.
What needs to be done
Typically, the process needs to be confirmed by the user and certain adjustments are good enough to eliminate future instances.
Thanks for reading and as always, any feedback is most welcome.