Remote Access Tool - AnyDesk Incoming Connection

calendar Mar 4, 2025 · attack.persistence attack.command-and-control attack.t1219  ·
Share on: linkedin copy

Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.

Sigma rule (View on GitHub)

 1title: Remote Access Tool - AnyDesk Incoming Connection
 2id: d58ba5c6-0ed7-4b9d-a433-6878379efda9
 3status: experimental
 4description: |
 5        Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
 6references:
 7    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
 8    - https://asec.ahnlab.com/en/40263/
 9author: '@d4ns4n_ (Wuerth-Phoenix)'
10date: 2024-09-02
11modified: 2025-02-24
12tags:
13    - attack.persistence
14    - attack.command-and-control
15    - attack.t1219
16logsource:
17    category: network_connection
18    product: windows
19detection:
20    selection:
21        Image|endswith:
22            - '\AnyDesk.exe'
23            - '\AnyDeskMSI.exe'
24        Initiated: 'false' # If the network connection is initiated remotely (incoming), the field is set to false.
25    condition: selection
26falsepositives:
27    - Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally).
28level: medium

References

Related rules

to-top