Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumexperimental

OpenEDR Spawning Command Shell

Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities. This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool. Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
kostastsaleCreated Thu Feb 197f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1dwindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        ParentImage|endswith: '\ITSMService.exe'
        Image|endswith: '\ssh-shellhost.exe'
        CommandLine|contains: '--pty'
    selection_cli_shell:
        CommandLine|contains:
            - 'bash'
            - 'cmd'
            - 'powershell'
            - 'pwsh'
    condition: all of selection_*
False Positives

Legitimate use of OpenEDR for remote command execution

References
1
Resolving title…
kostas-ts.medium.com
MITRE ATT&CK
Rule Metadata
Rule ID
7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d
Status
experimental
Level
medium
Type
Detection
Created
Thu Feb 19
Author
kostastsale
Path
rules/windows/process_creation/proc_creation_win_comodo_ssh_shellhost_cmd_spawn.yml
Raw Tags
attack.executionattack.t1059.003attack.lateral-movementattack.t1021.004attack.command-and-controlattack.t1219
View on GitHub