Potentially Suspicious File Creation by OpenEDR's ITSMService

Title: Potentially Suspicious File Creation by OpenEDR's ITSMService
Status: experimental
Description:Detects the creation of potentially suspicious files by OpenEDR's ITSMService process. The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features. While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
References:
  -https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
Author: @kostastsale
Date: 2026-02-19
modified:None
Tags:

• -'attack.command-and-control'
• -'attack.t1105'
• -'attack.lateral-movement'
• -'attack.t1570'
• -'attack.t1219'

Logsource:

• product: windows
• category: file_event

Detection:
  selection_process:
    Image|endswith: '\COMODO\Endpoint Manager\ITSMService.exe'
  selection_suspicious_extensions:
    TargetFilename|endswith:
      -'.7z'
      -'.bat'
      -'.cmd'
      -'.com'
      -'.dll'
      -'.exe'
      -'.hta'
      -'.js'
      -'.pif'
      -'.ps1'
      -'.rar'
      -'.scr'
      -'.vbe'
      -'.vbs'
      -'.zip'

  condition:all of selection_*
Falsepositives:
  -Legitimate OpenEDR file management operations
  -Authorized remote file uploads by IT administrators
  -Software deployment through OpenEDR console
Level: medium