OpenEDR Spawning Command Shell

Title: OpenEDR Spawning Command Shell
Status: experimental
Description:Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities. This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool. Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
References:
  -https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
Author: @kostastsale
Date: 2026-02-19
modified:None
Tags:

• -'attack.execution'
• -'attack.t1059.003'
• -'attack.lateral-movement'
• -'attack.t1021.004'
• -'attack.command-and-control'
• -'attack.t1219'

Logsource:

• product: windows
• category: process_creation

Detection:
  selection_img:
    ParentImage|endswith: '\ITSMService.exe'
    Image|endswith: '\ssh-shellhost.exe'
    CommandLine|contains: '--pty'
  selection_cli_shell:
    CommandLine|contains:
      -'bash'
      -'cmd'
      -'powershell'
      -'pwsh'

  condition:all of selection_*
Falsepositives:
  -Legitimate use of OpenEDR for remote command execution
Level: medium