Skip to content

Hide Navigation Hide TOC

OpenEDR Spawning Command Shell (7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d)

Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities. This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool. Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.

Cluster A Galaxy A Cluster B Galaxy B Level
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern OpenEDR Spawning Command Shell (7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d) Sigma-Rules 1
OpenEDR Spawning Command Shell (7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d) Sigma-Rules SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 1
OpenEDR Spawning Command Shell (7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d) Sigma-Rules Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2