OpenEDR Spawning Command Shell

 1title: OpenEDR Spawning Command Shell
 2id: 7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d
 3status: experimental
 4description: |
 5    Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
 6    This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
 7    Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.    
 8author: '@kostastsale'
 9date: 2026-02-19
10references:
11    - https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
12tags:
13    - attack.execution
14    - attack.t1059.003
15    - attack.lateral-movement
16    - attack.t1021.004
17    - attack.command-and-control
18    - attack.t1219
19logsource:
20    product: windows
21    category: process_creation
22detection:
23    selection_img:
24        ParentImage|endswith: '\ITSMService.exe'
25        Image|endswith: '\ssh-shellhost.exe'
26        CommandLine|contains: '--pty'
27    selection_cli_shell:
28        CommandLine|contains:
29            - 'bash'
30            - 'cmd'
31            - 'powershell'
32            - 'pwsh'
33    condition: all of selection_*
34falsepositives:
35    - Legitimate use of OpenEDR for remote command execution
36level: medium