Anydesk Remote Access Software Service Installation
Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
Sigma rule (View on GitHub)
1title: Anydesk Remote Access Software Service Installation
2id: 530a6faa-ff3d-4022-b315-50828e77eef5
3status: test
4description: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
5references:
6 - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-11
9tags:
10 - attack.persistence
11logsource:
12 product: windows
13 service: system
14detection:
15 selection:
16 Provider_Name: 'Service Control Manager'
17 EventID: 7045
18 ServiceName: 'AnyDesk Service'
19 condition: selection
20falsepositives:
21 - Legitimate usage of the anydesk tool
22level: medium
References
-
In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group in March 2022…
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS ECS Task Definition That Queries The Credential Endpoint