Add detection rules for abuse of OpenEDR's response features #5716

tsale · 2025-10-22T03:45:31Z

Summary of the Pull Request

Two new detection rules for identifying potential abuse of OpenEDR's remote management features as described here.

OpenEDR cloud-based solution, powered by XCitium, includes RMM capabilities (file management, interactive shells, remote execution) that threat actors can abuse. This rule is targeted explicitly at unauthorized remote command execution and file uploads through their legitimate offering.

Changelog

new: File Created via OpenEDR Response Features
new: OpenEDR Spawning Command Shell

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

If your PR adds new rules, please consider following and applying these conventions

…point Manager (OpenEDR) remote management features.

…ection rule

…larmist

rules/windows/file/file_event/file_event_win_comodo_itsm_suspicious_file_creation.yml

rules/windows/process_creation/proc_creation_win_comodo_ssh_shellhost_cmd_spawn.yml

tsale added 5 commits October 21, 2025 20:31

Two new detection rules for identifying potential abuse of COMODO End…

b94cc94

…point Manager (OpenEDR) remote management features.

fix: update author name to Twitter handle in Comodo SSH shellhost det…

27fddfa

…ection rule

refactor: update COMODO references to OpenEDR in detection rules

d2fb54f

fix: remove empty line in Comodo ITSM file creation detection rule

5e66c5b

refactor: rename OpenEDR detection rule to be more precise and less a…

5be4af8

…larmist

github-actions bot added Rules Windows Pull request add/update windows related rules labels Oct 22, 2025

tsale added 5 commits October 21, 2025 20:58

style: fix indentation

6a7bbca

style: fix more indentation issues

4daa2d5

fix: Guess what, more indentation issues. Hopefully that's all now.

8e513e3

fix: update old-school MITRE ATT&CK tags

b693c82

chore: lowered severity level to please the gods of Sigma

ffae9e0

phantinuss reviewed Oct 22, 2025

View reviewed changes

rules/windows/file/file_event/file_event_win_comodo_itsm_suspicious_file_creation.yml Outdated Show resolved Hide resolved

phantinuss reviewed Oct 22, 2025

View reviewed changes

rules/windows/process_creation/proc_creation_win_comodo_ssh_shellhost_cmd_spawn.yml Outdated Show resolved Hide resolved

fix: initial status

bf967f9

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Uh oh!

Add detection rules for abuse of OpenEDR's response features #5716

Add detection rules for abuse of OpenEDR's response features #5716

Uh oh!

tsale commented Oct 22, 2025

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Uh oh!

Add detection rules for abuse of OpenEDR's response features #5716

Are you sure you want to change the base?

Add detection rules for abuse of OpenEDR's response features #5716

Uh oh!

Conversation

tsale commented Oct 22, 2025

Summary of the Pull Request

Changelog

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants