Potentially Suspicious File Creation by OpenEDRs ITSMService

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.

Severity

Attention

Rule Requirement

Criteria

Action1: actionname = "File Created or Modified" AND ( PROCESSNAME endswith "\ITSMService.exe" ) AND ( FILENAME endswith ".exe,.dll,.ps1,.bat,.vbs,.hta,.7z,.cmd,.com,.js,.pif,.rar,.scr,.vbe,.zip" OR OBJECTNAME endswith ".exe,.dll,.ps1,.bat,.vbs,.hta,.7z,.cmd,.com,.js,.pif,.rar,.scr,.vbe,.zip" ) select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.OBJECTNAME,Action1.FILENAME,Action1.PROCESSNAME,Action1.FILETYPE,Action1.ACCESSLIST

Detection

Execution Mode

realtime

Log Sources

Windows

Author

@kostastsale