legitimate openedr file management operations

t1105
t1219
t1570
windows
sigma

Techniques

t1105
t1219
t1570

Sample rules

Potentially Suspicious File Creation by OpenEDR’s ITSMService

source: sigma
technicques:
- t1105
- t1219
- t1570

Description

Detects the creation of potentially suspicious files by OpenEDR’s ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features. While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.

Detection logic

condition: all of selection_*
selection_process:
  Image|endswith: \COMODO\Endpoint Manager\ITSMService.exe
selection_suspicious_extensions:
  TargetFilename|endswith:
  - .7z
  - .bat
  - .cmd
  - .com
  - .dll
  - .exe
  - .hta
  - .js
  - .pif
  - .ps1
  - .rar
  - .scr
  - .vbe
  - .vbs
  - .zip