COMmander: Unmasking Hidden Threats in Windows with Deep RPC/COM Monitoring
There is no shortage of protective tools today, yet unfortunately, the number of threats continues to outpace them—particularly those that operate subtly and invisibly, penetrating the very core mechanisms of an operating system. Detecting such attacks is exceptionally challenging: conventional security solutions often fail to perceive what transpires “under the hood.” This is precisely why tools capable of probing deeper—into the hidden layers where the most sophisticated attack scenarios reside—are becoming increasingly invaluable.
COMmander is one such utility. Compact yet immensely practical, this tool monitors activities related to RPC and COM—two foundational technologies without which Windows cannot function, but which are frequently exploited by malicious actors. Despite its modest resource footprint, COMmander excels at identifying anomalies that would typically escape notice.
Security professionals have long found these protocols frustrating: too many layers, too many abstractions, and when something goes wrong, it often does so in silence. COMmander seems purpose-built for precisely these situations. It scrutinizes low-level system behavior using Windows’ native Event Tracing for Windows (ETW), effectively observing how programs within the system communicate—and raising a flag when anything appears suspicious.
The tool operates with elegant simplicity. A configuration file (in XML format) defines the rules of engagement—what exactly to look for. Want to track invocations of a particular COM interface via a suspicious endpoint? Done. Need to detect an exploitation attempt using PetitPotam? Just specify the relevant UUID and operation number. While it doesn’t offer hundreds of settings, the available options are more than sufficient to cover a wide array of scenarios.
COMmander is also delightfully straightforward to launch. You can simply open the .exe file to load settings from a neighboring configuration file. Alternatively, install it as a service—it will start with the system and run silently in the background. Installation is refreshingly hassle-free: download it, run a PowerShell script, and you’re ready to go. Just remember: running both the CLI and the service simultaneously is ill-advised, as it may confuse the system and require a restart of the service.
All detected activity is recorded in the standard Windows Event Log under a dedicated log labeled “COMmander.” Each event ID clearly indicates what occurred—service start, stop, rule load, error, or detection of suspicious behavior. The result is a concise, readable log.
Notably, while current configuration filters are limited to one instance per type, they can be freely combined. Template examples are even provided, bundling rules for various attacks—ready to use and easily adapted to specific needs.
In the end, COMmander is a tool that does one thing—and does it exceptionally well. It won’t replace a full-scale traffic analysis system, but within its niche, it excels. Especially when you need to quickly assess what’s unfolding in your RPC space and determine whether any process is interpreting its privileges a bit too liberally. And yes, it doesn’t just expose events—it transforms them into actionable intelligence.
