Detection rules › Sigma
OpenEDR Spawning Command Shell
Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities. This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool. Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.003 Command and Scripting Interpreter: Windows Command Shell |
| Lateral Movement | T1021.004 Remote Services: SSH |
| Command & Control | T1219 Remote Access Tools |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: all of selection_img
CommandLine|contains: --pty
Image|endswith: '\ssh-shellhost.exe'
ParentImage|endswith: '\ITSMService.exe'
Stage 2: all of selection_cli_shell
or:
CommandLine|contains: bash
CommandLine|contains: cmd
CommandLine|contains: powershell
CommandLine|contains: pwsh
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
ParentImage | ends_with |
|