RemCom

RemCom is an open-source remote execution utility for Windows, commonly described as a remote shell or telnet replacement and an open-source replacement for PsExec. It allows execution of processes on remote Windows systems and is commonly used by attackers for lateral movement and remote service-based execution within compromised networks. The content references detections and telemetry associated with RemCom activity, including Windows service creation events such as RemComSvc and datasets covering Windows Security, Sysmon, and System logs. RemCom has been observed in post-exploitation activity by multiple threat actors. Microsoft reported that MERCURY, now tracked as Mango Sandstorm and assessed with high confidence to be affiliated with Iran’s MOIS, used remote services with RemCom to run encoded PowerShell commands on internal systems after exploiting Log4j 2 vulnerabilities in SysAid Server instances targeting organizations in Israel. APT39 has used RemCom alongside NSSM to execute processes and for lateral movement, particularly in intrusions targeting telecommunications and travel organizations and other entities aligned with Iranian national interests. CrowdStrike reported that FANCY BEAR/APT28 used RemCOM to deploy tools during the 2016 DNC intrusion. Palo Alto Networks reported Stately Taurus (also known as Mustang Panda, BRONZE PRESIDENT, TA416, RedDelta, and Earth Preta) used RemCom for remote execution of exfiltration tools on uncompromised hosts during a long-running cyberespionage campaign against a Southeast Asian government. ESET also reported that IsaacWiper targeted specific machines previously compromised with RemCom, which was described as being used by attackers for lateral movement within compromised networks. High-confidence indicators directly mentioned in the content include the service name RemComSvc and the existence of SHA-256 hashes for RemCom shared by Microsoft in related intrusion reporting, though the specific hash values are not provided in the content.