COMmander: Lightweight C# Tool Boosts Defensive RPC/COM Telemetry
COMmander is a tool written in C# that can enrich defensive telemetry around RPC and COM. For a detailed blog post on the development of the tool and ruleset, see Jacob Acuna’s blog post
COMmander leverages the Microsoft-Windows-RPC ETW provider to tap into low level RPC events. This provides detailed RPC-related events on the system that can provide defenders with details about RPC, as well as layers of abstraction built on top of it, such as COM.
The way COMmander works is very simple – you provide a configuration file containing detection rules. These rules consist of various filters that provide granular control over what COMmander will detect (See the configuration file section for more details). After running the binary, that’s all you have to do – COMmander will monitor the system for events that match the filters you provided and send alerts in the terminal if any are encountered.
One of the issues with handling so many events is that it often requires a significant amount of resources to run. However, COMmander is extremely lightweight, and consistently uses minimal resources while still providing detection functionality.
Command-Line Usage
Configuration File
By default, COMmander will attempt to find a configuration file called config.xml in the same directory as the binary. Rules may include a combination of rule types, but for the time being may only include a single instance of a rule type (ie you can only have one OpNum filter). Below is a table containing the possible values to use in the detection rules.
| Rule Type | Example Value |
|---|---|
| InterfaceUUID | 06bba54a-be05-49f9-b0a0-30f790261023 |
| OpNum | 13 |
| Endpoint | \PIPE\DAV RPC SERVICE |
| NetworkAddress | NULL |
| ProcessName | lsass |
Below is a sample configuration file template:
[pastacode lang=”markup” manual=”%3CRules%3E%0A%09%3CRule%20name%3D%22DCOM%20Invoked%20WebClient%22%3E%0A%09%09%3CInterfaceUUID%3Ec8cb7687-e6d3-11d2-a958-00c04f682e16%3C%2FInterfaceUUID%3E%0A%09%09%3CEndpoint%3E%5CPIPE%5CDAV%20RPC%20SERVICE%3C%2FEndpoint%3E%0A%09%3C%2FRule%3E%0A%09%3CRule%20name%3D%22Authentication%20Coercion%20using%20PetitPotam%20EfsRpcOpenFileRaw%22%3E%0A%09%09%3CInterfaceUUID%3Ec681d488-d850-11d0-8c52-00c04fd90f7e%3C%2FInterfaceUUID%3E%0A%09%09%3COpNum%3E0%3C%2FOpNum%3E%0A%09%3C%2FRule%3E%0A%3C%2FRules%3E” message=”” highlight=”” provider=”manual”/]
Download
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
