{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/openedr/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenEDR"],"_cs_severities":["medium"],"_cs_tags":["openedr","itsmservice","file-creation","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["OpenEDR"],"content_html":"\u003cp\u003eOpenEDR's ITSMService.exe is a legitimate component responsible for remote management operations within an environment. However, adversaries can abuse the ITSMService process to create executable or script files on the system through the process explorer or file management features. While these functions are legitimate for IT administrators, the creation of executable or script files in unusual locations or with suspicious names may indicate unauthorized file uploads, data staging for lateral movement, or the deployment of malicious payloads. This activity has been observed in experimental settings, highlighting the potential for abuse in real-world scenarios by threat actors aiming to leverage the built-in capabilities of OpenEDR for malicious purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to the target system through external means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eOpenEDR Access: The attacker gains control or access to an existing OpenEDR installation or is able to install/configure a rogue instance.\u003c/li\u003e\n\u003cli\u003eITSMService Exploitation: The attacker leverages the OpenEDR console to interact with the ITSMService.exe process.\u003c/li\u003e\n\u003cli\u003eFile Upload: The attacker uses the ITSMService to upload a malicious file (e.g., .exe, .dll, .ps1) to a location on the target system.\u003c/li\u003e\n\u003cli\u003ePersistence (Optional): The attacker creates a scheduled task or modifies a registry key using ITSMService to maintain persistent access.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker leverages ITSMService to execute the uploaded malicious file.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The executed payload initiates lateral movement, potentially using credentials obtained through OpenEDR or other tools.\u003c/li\u003e\n\u003cli\u003eObjective: The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or establishing a persistent backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass traditional security controls by abusing a trusted application (OpenEDR). It enables the deployment of malware, exfiltration of sensitive data, or the establishment of persistent access to compromised systems. While specific victim numbers are unknown, the permissive nature of OpenEDR's trial, as noted in research, suggests a broad potential attack surface. The impact could extend across various sectors utilizing OpenEDR for endpoint management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Potentially Suspicious File Creation by OpenEDR's ITSMService\u0026quot; to your SIEM to detect the creation of suspicious file types by the ITSMService process, and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events for files with extensions like .exe, .dll, .ps1, .bat, etc. created by 'ITSMService.exe' (logsource: file_event/windows).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and auditing for OpenEDR consoles to prevent unauthorized use of ITSMService.exe.\u003c/li\u003e\n\u003cli\u003eReview and audit OpenEDR configurations to identify and remediate overly permissive settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-openedr-file-creation/","summary":"OpenEDR's ITSMService process, used for remote management, is being abused to create suspicious files on compromised systems, potentially leading to unauthorized file uploads, data staging, or malicious file deployment.","title":"Suspicious File Creation via OpenEDR ITSMService","url":"https://feed.craftedsignal.io/briefs/2024-01-openedr-file-creation/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenEDR"],"_cs_severities":["medium"],"_cs_tags":["openedr","remote-access-tool","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["OpenEDR"],"content_html":"\u003cp\u003eOpenEDR, a security solution, includes remote management features that can be abused by threat actors. This activity involves the \u003ccode\u003essh-shellhost.exe\u003c/code\u003e process, spawned by \u003ccode\u003eITSMService.exe\u003c/code\u003e, creating command shells like \u003ccode\u003ecmd.exe\u003c/code\u003e or PowerShell instances with PTY (pseudo-terminal) capabilities. The abuse of these features can allow attackers to execute arbitrary commands on a compromised system, move laterally within the network, or establish command and control channels. While legitimate administrators may use these features for remote management, their abuse represents a significant security risk. This is particularly concerning in environments where OpenEDR is deployed, as it provides a potential avenue for attackers to gain unauthorized access and control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system with OpenEDR installed. This could be achieved through various means, such as exploiting vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages OpenEDR's remote management capabilities.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eITSMService.exe\u003c/code\u003e process, associated with OpenEDR, spawns the \u003ccode\u003essh-shellhost.exe\u003c/code\u003e process.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003essh-shellhost.exe\u003c/code\u003e process executes a command shell, such as \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003epwsh.exe\u003c/code\u003e or \u003ccode\u003ebash\u003c/code\u003e, with PTY (pseudo-terminal) support, indicated by the \u003ccode\u003e--pty\u003c/code\u003e argument in the command line.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the spawned shell to execute commands on the compromised system. These commands could be used for reconnaissance, lateral movement, or other malicious activities.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the established shell to install additional tools or malware on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems on the network, repeating the process.\u003c/li\u003e\n\u003cli\u003eThe final objective includes data exfiltration, ransomware deployment, or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary commands on compromised systems, potentially leading to data theft, system disruption, or ransomware deployment. The number of affected systems depends on the attacker's ability to move laterally within the network. Targeted sectors include any organization utilizing OpenEDR for endpoint protection. If successful, the attack can result in significant financial losses, reputational damage, and operational disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;OpenEDR Spawning Command Shell\u0026quot; to your SIEM to detect suspicious \u003ccode\u003essh-shellhost.exe\u003c/code\u003e process creation events in your environment (rules).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule to determine if the activity is legitimate or malicious.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for OpenEDR's remote management features to prevent unauthorized use.\u003c/li\u003e\n\u003cli\u003eReview the reference article to gain a better understanding of the attack vector and potential mitigation strategies (references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-openedr-cmd-spawn/","summary":"OpenEDR's ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY capabilities may indicate remote command execution and potential abuse of OpenEDR's remote management features by threat actors for lateral movement or command-and-control.","title":"OpenEDR ssh-shellhost.exe Spawning Command Shell or PowerShell with PTY","url":"https://feed.craftedsignal.io/briefs/2024-01-openedr-cmd-spawn/"}],"language":"en","title":"CraftedSignal Threat Feed - OpenEDR","version":"https://jsonfeed.org/version/1.1"}