sigmamediumHunting

Potentially Suspicious File Creation by OpenEDR's ITSMService

Detects the creation of potentially suspicious files by OpenEDR's ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features. While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.

MITRE ATT&CK

T1105 T1570 T1219

command-and-controllateral-movement

Detection Query

selection_process:
  Image|endswith: \COMODO\Endpoint Manager\ITSMService.exe
selection_suspicious_extensions:
  TargetFilename|endswith:
    - .7z
    - .bat
    - .cmd
    - .com
    - .dll
    - .exe
    - .hta
    - .js
    - .pif
    - .ps1
    - .rar
    - .scr
    - .vbe
    - .vbs
    - .zip
condition: all of selection_*

Author

@kostastsale

Created

2026-02-19

Data Sources

windowsFile Events

Platforms

windows

References

https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c

Tags

attack.command-and-controlattack.t1105attack.lateral-movementattack.t1570attack.t1219

Raw Content

title: Potentially Suspicious File Creation by OpenEDR's ITSMService
id: 9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d
status: experimental
description: |
    Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
    The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
    While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
author: '@kostastsale'
date: 2026-02-19
references:
    - https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
tags:
    - attack.command-and-control
    - attack.t1105
    - attack.lateral-movement
    - attack.t1570
    - attack.t1219
logsource:
    product: windows
    category: file_event
detection:
    selection_process:
        Image|endswith: '\COMODO\Endpoint Manager\ITSMService.exe'
    selection_suspicious_extensions:
        TargetFilename|endswith:
            - '.7z'
            - '.bat'
            - '.cmd'
            - '.com'
            - '.dll'
            - '.exe'
            - '.hta'
            - '.js'
            - '.pif'
            - '.ps1'
            - '.rar'
            - '.scr'
            - '.vbe'
            - '.vbs'
            - '.zip'
    condition: all of selection_*
falsepositives:
    - Legitimate OpenEDR file management operations
    - Authorized remote file uploads by IT administrators
    - Software deployment through OpenEDR console
level: medium