<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>OpenEDR - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/openedr/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 24 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/openedr/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious File Creation via OpenEDR ITSMService</title><link>https://feed.craftedsignal.io/briefs/2024-01-openedr-file-creation/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-openedr-file-creation/</guid><description>OpenEDR's ITSMService process, used for remote management, is being abused to create suspicious files on compromised systems, potentially leading to unauthorized file uploads, data staging, or malicious file deployment.</description><content:encoded><![CDATA[<p>OpenEDR's ITSMService.exe is a legitimate component responsible for remote management operations within an environment. However, adversaries can abuse the ITSMService process to create executable or script files on the system through the process explorer or file management features. While these functions are legitimate for IT administrators, the creation of executable or script files in unusual locations or with suspicious names may indicate unauthorized file uploads, data staging for lateral movement, or the deployment of malicious payloads. This activity has been observed in experimental settings, highlighting the potential for abuse in real-world scenarios by threat actors aiming to leverage the built-in capabilities of OpenEDR for malicious purposes.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: An attacker gains initial access to the target system through external means (e.g., phishing, exploit).</li>
<li>OpenEDR Access: The attacker gains control or access to an existing OpenEDR installation or is able to install/configure a rogue instance.</li>
<li>ITSMService Exploitation: The attacker leverages the OpenEDR console to interact with the ITSMService.exe process.</li>
<li>File Upload: The attacker uses the ITSMService to upload a malicious file (e.g., .exe, .dll, .ps1) to a location on the target system.</li>
<li>Persistence (Optional): The attacker creates a scheduled task or modifies a registry key using ITSMService to maintain persistent access.</li>
<li>Execution: The attacker leverages ITSMService to execute the uploaded malicious file.</li>
<li>Lateral Movement: The executed payload initiates lateral movement, potentially using credentials obtained through OpenEDR or other tools.</li>
<li>Objective: The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or establishing a persistent backdoor.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to bypass traditional security controls by abusing a trusted application (OpenEDR). It enables the deployment of malware, exfiltration of sensitive data, or the establishment of persistent access to compromised systems. While specific victim numbers are unknown, the permissive nature of OpenEDR's trial, as noted in research, suggests a broad potential attack surface. The impact could extend across various sectors utilizing OpenEDR for endpoint management.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Potentially Suspicious File Creation by OpenEDR's ITSMService&quot; to your SIEM to detect the creation of suspicious file types by the ITSMService process, and tune it for your environment.</li>
<li>Monitor file creation events for files with extensions like .exe, .dll, .ps1, .bat, etc. created by 'ITSMService.exe' (logsource: file_event/windows).</li>
<li>Implement strict access controls and auditing for OpenEDR consoles to prevent unauthorized use of ITSMService.exe.</li>
<li>Review and audit OpenEDR configurations to identify and remediate overly permissive settings.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>openedr</category><category>itsmservice</category><category>file-creation</category><category>lateral-movement</category></item><item><title>OpenEDR ssh-shellhost.exe Spawning Command Shell or PowerShell with PTY</title><link>https://feed.craftedsignal.io/briefs/2024-01-openedr-cmd-spawn/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-openedr-cmd-spawn/</guid><description>OpenEDR's ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY capabilities may indicate remote command execution and potential abuse of OpenEDR's remote management features by threat actors for lateral movement or command-and-control.</description><content:encoded><![CDATA[<p>OpenEDR, a security solution, includes remote management features that can be abused by threat actors. This activity involves the <code>ssh-shellhost.exe</code> process, spawned by <code>ITSMService.exe</code>, creating command shells like <code>cmd.exe</code> or PowerShell instances with PTY (pseudo-terminal) capabilities. The abuse of these features can allow attackers to execute arbitrary commands on a compromised system, move laterally within the network, or establish command and control channels. While legitimate administrators may use these features for remote management, their abuse represents a significant security risk. This is particularly concerning in environments where OpenEDR is deployed, as it provides a potential avenue for attackers to gain unauthorized access and control.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to a system with OpenEDR installed. This could be achieved through various means, such as exploiting vulnerabilities or using stolen credentials.</li>
<li>The attacker leverages OpenEDR's remote management capabilities.</li>
<li>The <code>ITSMService.exe</code> process, associated with OpenEDR, spawns the <code>ssh-shellhost.exe</code> process.</li>
<li>The <code>ssh-shellhost.exe</code> process executes a command shell, such as <code>cmd.exe</code>, <code>powershell.exe</code>, <code>pwsh.exe</code> or <code>bash</code>, with PTY (pseudo-terminal) support, indicated by the <code>--pty</code> argument in the command line.</li>
<li>The attacker uses the spawned shell to execute commands on the compromised system. These commands could be used for reconnaissance, lateral movement, or other malicious activities.</li>
<li>The attacker may use the established shell to install additional tools or malware on the system.</li>
<li>The attacker moves laterally to other systems on the network, repeating the process.</li>
<li>The final objective includes data exfiltration, ransomware deployment, or other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation allows attackers to execute arbitrary commands on compromised systems, potentially leading to data theft, system disruption, or ransomware deployment. The number of affected systems depends on the attacker's ability to move laterally within the network. Targeted sectors include any organization utilizing OpenEDR for endpoint protection. If successful, the attack can result in significant financial losses, reputational damage, and operational disruptions.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;OpenEDR Spawning Command Shell&quot; to your SIEM to detect suspicious <code>ssh-shellhost.exe</code> process creation events in your environment (rules).</li>
<li>Investigate any alerts generated by the Sigma rule to determine if the activity is legitimate or malicious.</li>
<li>Implement strict access controls and monitoring for OpenEDR's remote management features to prevent unauthorized use.</li>
<li>Review the reference article to gain a better understanding of the attack vector and potential mitigation strategies (references).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>openedr</category><category>remote-access-tool</category><category>lateral-movement</category></item></channel></rss>