Skip to content
Threat Feed
medium advisory

OpenEDR ssh-shellhost.exe Spawning Command Shell or PowerShell with PTY

OpenEDR's ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY capabilities may indicate remote command execution and potential abuse of OpenEDR's remote management features by threat actors for lateral movement or command-and-control.

OpenEDR, a security solution, includes remote management features that can be abused by threat actors. This activity involves the ssh-shellhost.exe process, spawned by ITSMService.exe, creating command shells like cmd.exe or PowerShell instances with PTY (pseudo-terminal) capabilities. The abuse of these features can allow attackers to execute arbitrary commands on a compromised system, move laterally within the network, or establish command and control channels. While legitimate administrators may use these features for remote management, their abuse represents a significant security risk. This is particularly concerning in environments where OpenEDR is deployed, as it provides a potential avenue for attackers to gain unauthorized access and control.

Attack Chain

  1. The attacker gains initial access to a system with OpenEDR installed. This could be achieved through various means, such as exploiting vulnerabilities or using stolen credentials.
  2. The attacker leverages OpenEDR's remote management capabilities.
  3. The ITSMService.exe process, associated with OpenEDR, spawns the ssh-shellhost.exe process.
  4. The ssh-shellhost.exe process executes a command shell, such as cmd.exe, powershell.exe, pwsh.exe or bash, with PTY (pseudo-terminal) support, indicated by the --pty argument in the command line.
  5. The attacker uses the spawned shell to execute commands on the compromised system. These commands could be used for reconnaissance, lateral movement, or other malicious activities.
  6. The attacker may use the established shell to install additional tools or malware on the system.
  7. The attacker moves laterally to other systems on the network, repeating the process.
  8. The final objective includes data exfiltration, ransomware deployment, or other malicious activities.

Impact

Successful exploitation allows attackers to execute arbitrary commands on compromised systems, potentially leading to data theft, system disruption, or ransomware deployment. The number of affected systems depends on the attacker's ability to move laterally within the network. Targeted sectors include any organization utilizing OpenEDR for endpoint protection. If successful, the attack can result in significant financial losses, reputational damage, and operational disruptions.

Recommendation

  • Deploy the Sigma rule "OpenEDR Spawning Command Shell" to your SIEM to detect suspicious ssh-shellhost.exe process creation events in your environment (rules).
  • Investigate any alerts generated by the Sigma rule to determine if the activity is legitimate or malicious.
  • Implement strict access controls and monitoring for OpenEDR's remote management features to prevent unauthorized use.
  • Review the reference article to gain a better understanding of the attack vector and potential mitigation strategies (references).

Detection coverage 2

OpenEDR Spawning Command Shell

medium

Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.

sigma tactics: command-and-control, execution, lateral-movement techniques: T1021.004, T1059.003, T1219 sources: process_creation, windows

OpenEDR ssh-shellhost.exe execution

low

Detects execution of ssh-shellhost.exe by OpenEDR's ITSMService.exe.

sigma tactics: execution techniques: T1059.003 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →