OpenEDR ssh-shellhost.exe Spawning Command Shell or PowerShell with PTY
OpenEDR's ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY capabilities may indicate remote command execution and potential abuse of OpenEDR's remote management features by threat actors for lateral movement or command-and-control.
OpenEDR, a security solution, includes remote management features that can be abused by threat actors. This activity involves the ssh-shellhost.exe process, spawned by ITSMService.exe, creating command shells like cmd.exe or PowerShell instances with PTY (pseudo-terminal) capabilities. The abuse of these features can allow attackers to execute arbitrary commands on a compromised system, move laterally within the network, or establish command and control channels. While legitimate administrators may use these features for remote management, their abuse represents a significant security risk. This is particularly concerning in environments where OpenEDR is deployed, as it provides a potential avenue for attackers to gain unauthorized access and control.
Attack Chain
- The attacker gains initial access to a system with OpenEDR installed. This could be achieved through various means, such as exploiting vulnerabilities or using stolen credentials.
- The attacker leverages OpenEDR's remote management capabilities.
- The
ITSMService.exeprocess, associated with OpenEDR, spawns thessh-shellhost.exeprocess. - The
ssh-shellhost.exeprocess executes a command shell, such ascmd.exe,powershell.exe,pwsh.exeorbash, with PTY (pseudo-terminal) support, indicated by the--ptyargument in the command line. - The attacker uses the spawned shell to execute commands on the compromised system. These commands could be used for reconnaissance, lateral movement, or other malicious activities.
- The attacker may use the established shell to install additional tools or malware on the system.
- The attacker moves laterally to other systems on the network, repeating the process.
- The final objective includes data exfiltration, ransomware deployment, or other malicious activities.
Impact
Successful exploitation allows attackers to execute arbitrary commands on compromised systems, potentially leading to data theft, system disruption, or ransomware deployment. The number of affected systems depends on the attacker's ability to move laterally within the network. Targeted sectors include any organization utilizing OpenEDR for endpoint protection. If successful, the attack can result in significant financial losses, reputational damage, and operational disruptions.
Recommendation
- Deploy the Sigma rule "OpenEDR Spawning Command Shell" to your SIEM to detect suspicious
ssh-shellhost.exeprocess creation events in your environment (rules). - Investigate any alerts generated by the Sigma rule to determine if the activity is legitimate or malicious.
- Implement strict access controls and monitoring for OpenEDR's remote management features to prevent unauthorized use.
- Review the reference article to gain a better understanding of the attack vector and potential mitigation strategies (references).
Detection coverage 2
OpenEDR Spawning Command Shell
mediumDetects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
OpenEDR ssh-shellhost.exe execution
lowDetects execution of ssh-shellhost.exe by OpenEDR's ITSMService.exe.
Detection queries are available on the platform. Get full rules →