OpenEDR Spawning Command Shell

Hunt Hypothesis

Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities. This may indicate remote command execution through OpenEDR’s remote mana

Detection Rule

Sigma (Original)

title: OpenEDR Spawning Command Shell
id: 7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d
status: experimental
description: |
    Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
    This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
    Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
author: '@kostastsale'
date: 2026-02-19
references:
    - https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
    - attack.execution
    - attack.t1059.003
    - attack.lateral-movement
    - attack.t1021.004
    - attack.command-and-control
    - attack.t1219
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        ParentImage|endswith: '\ITSMService.exe'
        Image|endswith: '\ssh-shellhost.exe'
        CommandLine|contains: '--pty'
    selection_cli_shell:
        CommandLine|contains:
            - 'bash'
            - 'cmd'
            - 'powershell'
            - 'pwsh'
    condition: all of selection_*
falsepositives:
    - Legitimate use of OpenEDR for remote command execution
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where ((ParentProcessName endswith "\\ITSMService.exe" or ActingProcessName endswith "\\ITSMService.exe") and TargetProcessName endswith "\\ssh-shellhost.exe" and TargetProcessCommandLine contains "--pty") and (TargetProcessCommandLine contains "bash" or TargetProcessCommandLine contains "cmd" or TargetProcessCommandLine contains "powershell" or TargetProcessCommandLine contains "pwsh")

Required Data Sources

False Positive Guidance

• Legitimate use of OpenEDR for remote command execution

MITRE ATT&CK Context

• Tactic: Execution
• Tactic: Lateral Movement
• Tactic: Command and Control
• Technique: T1059.003 — Windows Command Shell

  Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows

• Technique: T1021.004 — SSH

  Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.

SSH

• Technique: T1219 — Remote Access Tools

  An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a g

Validation (Atomic Red Team)

Use these Atomic Red Team tests to validate this detection fires correctly:

• T1059.003 — Windows Command Shell
• T1021.004 — SSH
• T1219 — Remote Access Tools

References

• https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
• SigmaHQ Rule