Detection rules › Sigma
Potentially Suspicious File Creation by OpenEDR's ITSMService
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features. While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Lateral Movement | T1570 Lateral Tool Transfer |
| Command & Control | T1105 Ingress Tool Transfer, T1219 Remote Access Tools |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: all of selection_process
Image|endswith: '\COMODO\Endpoint Manager\ITSMService.exe'
Stage 2: all of selection_suspicious_extensions
or:
TargetFilename|endswith: .7z
TargetFilename|endswith: .bat
TargetFilename|endswith: .cmd
TargetFilename|endswith: .com
TargetFilename|endswith: .dll
TargetFilename|endswith: .exe
TargetFilename|endswith: .hta
TargetFilename|endswith: .js
TargetFilename|endswith: .pif
TargetFilename|endswith: .ps1
TargetFilename|endswith: .rar
TargetFilename|endswith: .scr
TargetFilename|endswith: .vbe
TargetFilename|endswith: .vbs
TargetFilename|endswith: .zip
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
TargetFilename | ends_with |
|