Anydesk Remote Access Software Service Installation
Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
Sigma rule (View on GitHub)
1title: Anydesk Remote Access Software Service Installation
2id: 530a6faa-ff3d-4022-b315-50828e77eef5
3status: test
4description: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
5references:
6 - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/08/11
9tags:
10 - attack.persistence
11logsource:
12 product: windows
13 service: system
14detection:
15 selection:
16 Provider_Name: 'Service Control Manager'
17 EventID: 7045
18 ServiceName: 'AnyDesk Service'
19 condition: selection
20falsepositives:
21 - Legitimate usage of the anydesk tool
22level: medium
References
-
In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group … Read More
Read More
Related rules
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Added Credentials to Existing Application
- Application AppID Uri Configuration Changes