Skip to content

Hide Navigation Hide TOC

OpenEDR Spawning Command Shell (7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d)

Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities. This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool. Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.

Cluster A Galaxy A Cluster B Galaxy B Level
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern OpenEDR Spawning Command Shell (7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d) Sigma-Rules 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern OpenEDR Spawning Command Shell (7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d) Sigma-Rules 1
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern OpenEDR Spawning Command Shell (7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d) Sigma-Rules 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 2