Remote Access Tool - AnyDesk Incoming Connection

calendar Sep 2, 2024 · attack.persistence attack.command-and-control attack.t1219  ·
Share on: linkedin copy

Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.

Sigma rule (View on GitHub)

 1title: Remote Access Tool - AnyDesk Incoming Connection
 2id: d58ba5c6-0ed7-4b9d-a433-6878379efda9
 3status: experimental
 4description: |
 5        Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
 6references:
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
 8    - https://asec.ahnlab.com/en/40263/
 9author: '@d4ns4n_ (Wuerth-Phoenix)'
10date: 2024-09-02
11tags:
12    - attack.persistence
13    - attack.command-and-control
14    - attack.t1219
15logsource:
16    category: network_connection
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\AnyDesk.exe'
21        Initiated: 'false' # If the network connection is initiated remotely (incoming), the field is set to false.
22    condition: selection
23falsepositives:
24    - Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally).
25level: medium

References

Related rules

to-top