Detects the OpenEDR ssh-shellhost.exe spawning a command shell (cmd.exe) or PowerShell with PTY capabilities. The rule targets Windows process creation events where the ssh-shellhost.exe image is launched by a parent image ending with ITSMService.exe and the command line contains --pty, indicating a pseudo-terminal session. It further requires the command line to include a known interactive CLI shell (bash, cmd, powershell, pwsh). This pattern is indicative of OpenEDR's remote shell capability and could reflect legitimate remote administration or be abused for remote command execution, lateral movement, or command-and-control. The rule aligns to Windows command shells and remote service abuse techniques and is marked as a medium-severity signal. Legitimate OpenEDR usage may produce false positives, especially in environments with permissive remote-management configurations. A reference to security research discussing abuse of OpenEDR’s permissive trial is provided.