Potentially Suspicious File Creation by OpenEDRs ITSMService
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
Severity
Attention
Rule Requirement
Criteria
Action1:
actionname = "File Created or Modified" AND ( PROCESSNAME endswith "\ITSMService.exe" ) AND ( FILENAME endswith ".exe,.dll,.ps1,.bat,.vbs,.hta,.7z,.cmd,.com,.js,.pif,.rar,.scr,.vbe,.zip" OR OBJECTNAME endswith ".exe,.dll,.ps1,.bat,.vbs,.hta,.7z,.cmd,.com,.js,.pif,.rar,.scr,.vbe,.zip" )
select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.OBJECTNAME,Action1.FILENAME,Action1.PROCESSNAME,Action1.FILETYPE,Action1.ACCESSLIST
Detection
Execution Mode
realtime
Log Sources
Windows
Author
@kostastsale


