Potentially Suspicious File Creation by OpenEDR's ITSMService

 1title: Potentially Suspicious File Creation by OpenEDR's ITSMService
 2id: 9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d
 3status: experimental
 4description: |
 5    Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
 6    The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
 7    While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.    
 8author: '@kostastsale'
 9date: 2026-02-19
10references:
11    - https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
12tags:
13    - attack.command-and-control
14    - attack.t1105
15    - attack.lateral-movement
16    - attack.t1570
17    - attack.t1219
18logsource:
19    product: windows
20    category: file_event
21detection:
22    selection_process:
23        Image|endswith: '\COMODO\Endpoint Manager\ITSMService.exe'
24    selection_suspicious_extensions:
25        TargetFilename|endswith:
26            - '.7z'
27            - '.bat'
28            - '.cmd'
29            - '.com'
30            - '.dll'
31            - '.exe'
32            - '.hta'
33            - '.js'
34            - '.pif'
35            - '.ps1'
36            - '.rar'
37            - '.scr'
38            - '.vbe'
39            - '.vbs'
40            - '.zip'
41    condition: all of selection_*
42falsepositives:
43    - Legitimate OpenEDR file management operations
44    - Authorized remote file uploads by IT administrators
45    - Software deployment through OpenEDR console
46level: medium