Potentially Suspicious File Creation by OpenEDR's ITSMService

Hunt Hypothesis

Detects the creation of potentially suspicious files by OpenEDR’s ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Pr

Detection Rule

Sigma (Original)

title: Potentially Suspicious File Creation by OpenEDR's ITSMService
id: 9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d
status: experimental
description: |
    Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
    The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
    While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
author: '@kostastsale'
date: 2026-02-19
references:
    - https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
    - attack.command-and-control
    - attack.t1105
    - attack.lateral-movement
    - attack.t1570
    - attack.t1219
logsource:
    product: windows
    category: file_event
detection:
    selection_process:
        Image|endswith: '\COMODO\Endpoint Manager\ITSMService.exe'
    selection_suspicious_extensions:
        TargetFilename|endswith:
            - '.7z'
            - '.bat'
            - '.cmd'
            - '.com'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.js'
            - '.pif'
            - '.ps1'
            - '.rar'
            - '.scr'
            - '.vbe'
            - '.vbs'
            - '.zip'
    condition: all of selection_*
falsepositives:
    - Legitimate OpenEDR file management operations
    - Authorized remote file uploads by IT administrators
    - Software deployment through OpenEDR console
level: medium

KQL (Azure Sentinel)

imFileEvent
| where TargetFilePath endswith "\\COMODO\\Endpoint Manager\\ITSMService.exe" and (TargetFileName endswith ".7z" or TargetFileName endswith ".bat" or TargetFileName endswith ".cmd" or TargetFileName endswith ".com" or TargetFileName endswith ".dll" or TargetFileName endswith ".exe" or TargetFileName endswith ".hta" or TargetFileName endswith ".js" or TargetFileName endswith ".pif" or TargetFileName endswith ".ps1" or TargetFileName endswith ".rar" or TargetFileName endswith ".scr" or TargetFileName endswith ".vbe" or TargetFileName endswith ".vbs" or TargetFileName endswith ".zip")

Required Data Sources

Sentinel Table	Notes
`imFileEvent`	Ensure this data connector is enabled

False Positive Guidance

Legitimate OpenEDR file management operations
Authorized remote file uploads by IT administrators
Software deployment through OpenEDR console

MITRE ATT&CK Context

Tactic: Command and Control
Tactic: Lateral Movement
Technique: T1105 — Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network th
Technique: T1570 — Lateral Tool Transfer

Adversaries may transfer tools or other files between systems in a compromised environment. Once brought into the victim environment (i.e., [Ingress Tool Transfer](https://attack.mitre.org/techniques/
Technique: T1219 — Remote Access Tools

An adversary may use legitimate remote access tools to establish an interactive command and control channel within a network. Remote access tools create a session between two trusted hosts through a g

Validation (Atomic Red Team)

Use these Atomic Red Team tests to validate this detection fires correctly: