S0244: Comnie
Analyst context for executives and security teams
Comnie is a Windows remote backdoor with ATT&CK relationships showing a broad post-compromise pattern: execution through command/scripting mechanisms, discovery of users, processes, services, security tools, systems, and network configuration, persistence through startup mechanisms, web-based command-and-control, and automated collection. For leaders, the value is not just identifying one malware family; it is testing whether Windows endpoint, network, and identity telemetry can prove what a backdoor did after initial access.
Executive priority
Prioritize Comnie as a resilience and incident-readiness use case for Windows environments. The related behaviors touch controls that executives often rely on for assurance: endpoint monitoring, startup/persistence governance, command-line visibility, egress monitoring, and evidence of discovery or collection activity. Since MITRE provides no official detection guidance for this object, leadership should ask whether the SOC can reconstruct backdoor activity from available telemetry rather than depending on malware-name alerts or hashes.
Technical view
Validate coverage against the ATT&CK relationships rather than the malware name alone. On Windows, focus on command shell and Visual Basic execution, rundll32 proxy execution, Run key and startup-folder persistence, shortcut modification, local account/process/service/security software discovery, remote system and network discovery, automated collection indicators, and web or web-service command-and-control using encrypted or obfuscated content. Detection engineering should correlate suspicious discovery bursts, persistence changes, and outbound web communications from unusual processes or newly persistent binaries.
Likely telemetry
- Windows process creation events with full command line and parent-child process context
- Registry modification events for Run keys and related autostart locations
- Startup folder and shortcut file creation or modification events
- DLL execution and rundll32.exe invocation telemetry
- Endpoint file metadata, including unusually padded or obfuscated binaries where observable
Detection direction
- Do not rely only on static indicators or hash matching; the relationships include obfuscation and binary padding, which can weaken hash-based controls.
- Tune for sequences: execution or proxy execution followed by discovery commands, persistence modification, collection activity, and outbound web traffic.
- Baseline legitimate administrative discovery commands so alerts distinguish routine IT activity from unusual parent processes, user contexts, timing, or endpoint populations.
- Review rundll32.exe usage carefully because it is legitimate but commonly noisy; prioritize suspicious command lines, unusual DLL paths, and abnormal parent processes.
- Monitor Run keys, startup folders, and shortcut changes with user and process attribution to support incident scoping.
Mitigation priorities
- Ensure Windows endpoints collect process, registry, file, and network telemetry sufficient for post-compromise reconstruction.
- Harden and monitor autostart execution paths, including Registry Run keys, startup folders, and shortcut locations.
- Restrict or monitor script and command interpreter abuse where operationally feasible, especially unusual cmd.exe and Visual Basic execution.
- Improve egress visibility for web protocols and legitimate web-service channels, focusing on process attribution and destination reputation/context rather than simple port-based filtering.
- Maintain endpoint protection and sensor coverage that can observe discovery, collection, and persistence behaviors even when malware is obfuscated.
Analyst notes and limits
The official object describes Comnie as a remote backdoor reported in attacks in East Asia, with Palo Alto Unit 42 as the cited external source. ATT&CK does not specify tactics directly on the malware object and provides no official detection section, so this take is derived from the supplied platform and the listed technique relationships.
This assessment does not establish current activity, attribution, prevalence, or customer exposure. The related techniques include platforms beyond Windows, but the malware object itself lists Windows, so defensive validation should be Windows-centered unless local evidence shows otherwise. Local baselines and telemetry availability are required to determine actual coverage.
Comnie
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1007 | System Service Discovery | Comnie runs the command: |
| Enterprise | T1119 | Automated Collection | Comnie executes a batch script to store discovery information in %TEMP%\info.dat and then uploads the temporarily file to the remote C2 server.CitationPalo Alto Comnie |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Comnie attempts to detect several anti-virus products.CitationPalo Alto Comnie |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Comnie executes BAT scripts.CitationPalo Alto Comnie |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.CitationPalo Alto Comnie |
| Enterprise | T1057 | Process Discovery | Comnie uses the |
| Enterprise | T1016 | System Network Configuration Discovery | Comnie uses |
| Enterprise | T1087.001 | Local Account Sub-technique | Comnie uses the |
| Enterprise | T1049 | System Network Connections Discovery | Comnie executes the |
| Enterprise | T1018 | Remote System Discovery | Comnie runs the |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | Comnie establishes persistence via a .lnk file in the victim’s startup path.CitationPalo Alto Comnie |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Comnie uses HTTP for C2 communication.CitationPalo Alto Comnie |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Comnie executes VBS scripts.CitationPalo Alto Comnie |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Comnie encrypts command and control communications with RC4.CitationPalo Alto Comnie |
| Enterprise | T1082 | System Information Discovery | Comnie collects the hostname of the victim machine.CitationPalo Alto Comnie |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Comnie uses Rundll32 to load a malicious DLL.CitationPalo Alto Comnie |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Comnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.CitationPalo Alto Comnie |
| Enterprise | T1027.001 | Binary Padding Sub-technique | Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.CitationPalo Alto Comnie |
| Enterprise | T1027 | Obfuscated Files or Information | Comnie uses RC4 and Base64 to obfuscate strings.CitationPalo Alto Comnie |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 5d841f33a0b5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Comnie
Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
Open source URL -
[2]
Comnie
(Citation: Palo Alto Comnie)
-
[3]
mitre-attack S0244Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.