{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/itsmservice/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenEDR"],"_cs_severities":["medium"],"_cs_tags":["openedr","itsmservice","file-creation","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["OpenEDR"],"content_html":"\u003cp\u003eOpenEDR's ITSMService.exe is a legitimate component responsible for remote management operations within an environment. However, adversaries can abuse the ITSMService process to create executable or script files on the system through the process explorer or file management features. While these functions are legitimate for IT administrators, the creation of executable or script files in unusual locations or with suspicious names may indicate unauthorized file uploads, data staging for lateral movement, or the deployment of malicious payloads. This activity has been observed in experimental settings, highlighting the potential for abuse in real-world scenarios by threat actors aiming to leverage the built-in capabilities of OpenEDR for malicious purposes.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to the target system through external means (e.g., phishing, exploit).\u003c/li\u003e\n\u003cli\u003eOpenEDR Access: The attacker gains control or access to an existing OpenEDR installation or is able to install/configure a rogue instance.\u003c/li\u003e\n\u003cli\u003eITSMService Exploitation: The attacker leverages the OpenEDR console to interact with the ITSMService.exe process.\u003c/li\u003e\n\u003cli\u003eFile Upload: The attacker uses the ITSMService to upload a malicious file (e.g., .exe, .dll, .ps1) to a location on the target system.\u003c/li\u003e\n\u003cli\u003ePersistence (Optional): The attacker creates a scheduled task or modifies a registry key using ITSMService to maintain persistent access.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker leverages ITSMService to execute the uploaded malicious file.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The executed payload initiates lateral movement, potentially using credentials obtained through OpenEDR or other tools.\u003c/li\u003e\n\u003cli\u003eObjective: The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or establishing a persistent backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to bypass traditional security controls by abusing a trusted application (OpenEDR). It enables the deployment of malware, exfiltration of sensitive data, or the establishment of persistent access to compromised systems. While specific victim numbers are unknown, the permissive nature of OpenEDR's trial, as noted in research, suggests a broad potential attack surface. The impact could extend across various sectors utilizing OpenEDR for endpoint management.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Potentially Suspicious File Creation by OpenEDR's ITSMService\u0026quot; to your SIEM to detect the creation of suspicious file types by the ITSMService process, and tune it for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor file creation events for files with extensions like .exe, .dll, .ps1, .bat, etc. created by 'ITSMService.exe' (logsource: file_event/windows).\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and auditing for OpenEDR consoles to prevent unauthorized use of ITSMService.exe.\u003c/li\u003e\n\u003cli\u003eReview and audit OpenEDR configurations to identify and remediate overly permissive settings.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-openedr-file-creation/","summary":"OpenEDR's ITSMService process, used for remote management, is being abused to create suspicious files on compromised systems, potentially leading to unauthorized file uploads, data staging, or malicious file deployment.","title":"Suspicious File Creation via OpenEDR ITSMService","url":"https://feed.craftedsignal.io/briefs/2024-01-openedr-file-creation/"}],"language":"en","title":"CraftedSignal Threat Feed - Itsmservice","version":"https://jsonfeed.org/version/1.1"}