Detectionmediumexperimental
Potentially Suspicious File Creation by OpenEDR's ITSMService
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features. While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic2 selectors
detection:
selection_process:
Image|endswith: '\COMODO\Endpoint Manager\ITSMService.exe'
selection_suspicious_extensions:
TargetFilename|endswith:
- '.7z'
- '.bat'
- '.cmd'
- '.com'
- '.dll'
- '.exe'
- '.hta'
- '.js'
- '.pif'
- '.ps1'
- '.rar'
- '.scr'
- '.vbe'
- '.vbs'
- '.zip'
condition: all of selection_*False Positives
Legitimate OpenEDR file management operations
Authorized remote file uploads by IT administrators
Software deployment through OpenEDR console
References
MITRE ATT&CK
Rule Metadata
Rule ID
9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d
Status
experimental
Level
medium
Type
Detection
Created
Thu Feb 19
Author
Path
rules/windows/file/file_event/file_event_win_comodo_itsm_potentially_suspicious_file_creation.yml
Raw Tags
attack.command-and-controlattack.t1105attack.lateral-movementattack.t1570attack.t1219