Remote Access Tool - AnyDesk Execution
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
Sigma rule (View on GitHub)
1title: Remote Access Tool - AnyDesk Execution
2id: b52e84a3-029e-4529-b09b-71d19dd27e94
3status: test
4related:
5 - id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86
6 type: similar
7description: |
8 An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
9 These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
10 Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
11references:
12 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
13author: frack113
14date: 2022/02/11
15modified: 2023/03/05
16tags:
17 - attack.command_and_control
18 - attack.t1219
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 - Image|endswith: '\AnyDesk.exe'
25 - Description: AnyDesk
26 - Product: AnyDesk
27 - Company: AnyDesk Software GmbH
28 condition: selection
29falsepositives:
30 - Legitimate use
31level: medium