Remote Access Tool - AnyDesk Incoming Connection
Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
Sigma rule (View on GitHub)
1title: Remote Access Tool - AnyDesk Incoming Connection
2id: d58ba5c6-0ed7-4b9d-a433-6878379efda9
3status: experimental
4description: |
5 Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
6references:
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
8 - https://asec.ahnlab.com/en/40263/
9author: '@d4ns4n_ (Wuerth-Phoenix)'
10date: 2024-09-02
11tags:
12 - attack.persistence
13 - attack.command-and-control
14 - attack.t1219
15logsource:
16 category: network_connection
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\AnyDesk.exe'
21 Initiated: 'false' # If the network connection is initiated remotely (incoming), the field is set to false.
22 condition: selection
23falsepositives:
24 - Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally).
25level: medium
References
Related rules
- Potential Amazon SSM Agent Hijacking
- Potential Linux Amazon SSM Agent Hijacking
- Antivirus Exploitation Framework Detection
- Anydesk Temporary Artefact
- Bitsadmin to Uncommon IP Server Address