Anydesk Remote Access Software Service Installation
Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
Sigma rule (View on GitHub)
1title: Anydesk Remote Access Software Service Installation
2id: 530a6faa-ff3d-4022-b315-50828e77eef5
3status: test
4description: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
5references:
6 - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
7 - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
8author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
9date: 2022-08-11
10modified: 2025-02-24
11tags:
12 - attack.persistence
13logsource:
14 product: windows
15 service: system
16detection:
17 selection_provider:
18 Provider_Name: 'Service Control Manager'
19 EventID: 7045
20 selection_service:
21 - ServiceName|contains|all:
22 - 'AnyDesk' # Covers both AnyDesk Service and AnyDesk MSI Service
23 - 'Service'
24 - ImagePath|contains: 'AnyDesk'
25 condition: all of selection_*
26falsepositives:
27 - Legitimate usage of the anydesk tool
28level: medium
References
-
In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group in March 2022…
Read More -
Key Takeaways The intrusion began with the exploitation of CVE-2023-22527 on an exposed Windows Confluence server, ultimately leading to the deployment of LockBit ransomware across the environment.…
Read More
Related rules
- Remote Access Tool - AnyDesk Incoming Connection
- Schtasks Creation Or Modification With SYSTEM Privileges
- Add Port Monitor Persistence in Registry
- New TimeProviders Registered With Uncommon DLL Name
- OpenCanary - SSH Login Attempt