legitimate use of openedr for remote command execution

t1021
t1021.004
t1059
t1059.003
t1219
windows
sigma

Techniques

t1021
t1021.004
t1059
t1059.003
t1219

Sample rules

OpenEDR Spawning Command Shell

source: sigma
technicques:
- t1021
- t1021.004
- t1059
- t1059.003
- t1219

Description

Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities. This may indicate remote command execution through OpenEDR’s remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool. Threat actors may leverage OpenEDR’s remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.

Detection logic

condition: all of selection_*
selection_cli_shell:
  CommandLine|contains:
  - bash
  - cmd
  - powershell
  - pwsh
selection_img:
  CommandLine|contains: --pty
  Image|endswith: \ssh-shellhost.exe
  ParentImage|endswith: \ITSMService.exe