Merge PR #5716 from @tsale - Add detection rules for abuse of OpenEDR's response feature

new: Potentially Suspicious File Creation by OpenEDR's ITSMService
new: OpenEDR Spawning Command Shell

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>

rules/windows/file/file_event/file_event_win_comodo_itsm_potentially_suspicious_file_creation.yml

@@ -0,0 +1,46 @@
+title: Potentially Suspicious File Creation by OpenEDR's ITSMService
+id: 9e4b7d3a-6f2c-4e9a-8d1b-3c5e7a9f2b4d
+status: experimental
+description: |
+    Detects the creation of potentially suspicious files by OpenEDR's ITSMService process.
+    The ITSMService is responsible for remote management operations and can create files on the system through the Process Explorer or file management features.
+    While legitimate for IT operations, creation of executable or script files could indicate unauthorized file uploads, data staging, or malicious file deployment.
+author: '@kostastsale'
+date: 2026-02-19
+references:
+    - https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
+tags:
+    - attack.command-and-control
+    - attack.t1105
+    - attack.lateral-movement
+    - attack.t1570
+    - attack.t1219
+logsource:
+    product: windows
+    category: file_event
+detection:
+    selection_process:
+        Image|endswith: '\COMODO\Endpoint Manager\ITSMService.exe'
+    selection_suspicious_extensions:
+        TargetFilename|endswith:
+            - '.7z'
+            - '.bat'
+            - '.cmd'
+            - '.com'
+            - '.dll'
+            - '.exe'
+            - '.hta'
+            - '.js'
+            - '.pif'
+            - '.ps1'
+            - '.rar'
+            - '.scr'
+            - '.vbe'
+            - '.vbs'
+            - '.zip'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate OpenEDR file management operations
+    - Authorized remote file uploads by IT administrators
+    - Software deployment through OpenEDR console
+level: medium

rules/windows/process_creation/proc_creation_win_comodo_ssh_shellhost_cmd_spawn.yml

@@ -0,0 +1,36 @@
+title: OpenEDR Spawning Command Shell
+id: 7f3a9c2d-4e8b-4a7f-9d3e-5c6f8a9b2e1d
+status: experimental
+description: |
+    Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
+    This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
+    Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
+author: '@kostastsale'
+date: 2026-02-19
+references:
+    - https://kostas-ts.medium.com/detecting-abuse-of-openedrs-permissive-edr-trial-a-security-researcher-s-perspective-fc55bf53972c
+tags:
+    - attack.execution
+    - attack.t1059.003
+    - attack.lateral-movement
+    - attack.t1021.004
+    - attack.command-and-control
+    - attack.t1219
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_img:
+        ParentImage|endswith: '\ITSMService.exe'
+        Image|endswith: '\ssh-shellhost.exe'
+        CommandLine|contains: '--pty'
+    selection_cli_shell:
+        CommandLine|contains:
+            - 'bash'
+            - 'cmd'
+            - 'powershell'
+            - 'pwsh'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate use of OpenEDR for remote command execution
+level: medium