Apply changes

fukusuket · github-actions[bot] · commit 6f270547eb6a · 2026-03-01T15:14:19.000Z
diff --git a/data/Microsoft_Server/UsableRules.csv b/data/Microsoft_Server/UsableRules.csv
@@ -2014,6 +2014,10 @@ However, malicious actors may exploit these tools by renaming them to bypass det
 Attackers may use Kali Linux WSL to leverage its penetration testing tools and capabilities for malicious purposes.
 ","3de98820-2d36-1706-4ba6-1dcac6f0a2db"
 "Insecure Transfer Via Curl.EXE","medium","","process_creation","Detects execution of ""curl.exe"" with the ""--insecure"" flag.","4308f710-0e58-712f-6781-9323b7dc779e"
+"OpenEDR Spawning Command Shell","medium","","process_creation","Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY (pseudo-terminal) capabilities.
+This may indicate remote command execution through OpenEDR's remote management features, which could be legitimate administrative activity or potential abuse of the remote access tool.
+Threat actors may leverage OpenEDR's remote shell capabilities to execute commands on compromised systems, facilitating lateral movement or other command-and-control operations.
+","d171fc00-4320-d070-29e2-5576e7e2dcb0"
 "Potentially Suspicious Execution Of Regasm/Regsvcs With Uncommon Extension","medium","","process_creation","Detects potentially suspicious execution of the Regasm/Regsvcs utilities with an uncommon extension.","ba17b43d-ff78-598e-3e48-6f7f77abce52"
 "Obfuscated PowerShell OneLiner Execution","high","","process_creation","Detects the execution of a specific OneLiner to download and execute powershell modules in memory.","5656cdf4-b7e5-dbcf-3fc4-2d935d5999cd"
 "Interesting Service Enumeration Via Sc.EXE","low","","process_creation","Detects the enumeration and query of interesting and in some cases sensitive services on the system via ""sc.exe"".
diff --git a/data/Microsoft_Server/WELA-Audit-Result.csv b/data/Microsoft_Server/WELA-Audit-Result.csv
@@ -21,7 +21,7 @@
 "Security Advanced (Account Management)","Security Group Management","12","critical:0, high:5, medium:2, low:5, info:0","Success","Success and Failure","Success and Failure","",""
 "Security Advanced (Account Management)","User Account Management","13","critical:0, high:7, medium:4, low:2, info:0","Success","Success and Failure","Success and Failure","",""
 "Security Advanced (Detailed Tracking)","Plug and Play Events","2","critical:0, high:0, medium:1, low:1, info:0","No Auditing","No Auditing","","",""
-"Security Advanced (Detailed Tracking)","Process Creation","1388","critical:69, high:678, medium:552, low:86, info:3","No Auditing","Success and Failure","Success","","Include command line in process creation events"
+"Security Advanced (Detailed Tracking)","Process Creation","1389","critical:69, high:678, medium:553, low:86, info:3","No Auditing","Success and Failure","Success","","Include command line in process creation events"
 "Security Advanced (Detailed Tracking)","Process Termination","1","critical:0, high:1, medium:0, low:0, info:0","No Auditing","No Auditing","","",""
 "Security Advanced (Detailed Tracking)","RPC Events","0","critical:0, high:0, medium:0, low:0, info:0","No Auditing","No Auditing","","",""
 "Security Advanced (Detailed Tracking)","Token Right Adjusted Events","0","critical:0, high:0, medium:0, low:0, info:0","No Auditing","No Auditing","","",""
