Remote Access Tool - AnyDesk Piped Password Via CLI
Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
Sigma rule (View on GitHub)
1title: Remote Access Tool - AnyDesk Piped Password Via CLI
2id: b1377339-fda6-477a-b455-ac0923f9ec2c
3status: test
4description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
5references:
6 - https://redcanary.com/blog/misbehaving-rats/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-09-28
9modified: 2023-03-05
10tags:
11 - attack.command-and-control
12 - attack.t1219
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains|all:
19 # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password
20 - '/c '
21 - 'echo '
22 - '.exe --set-password'
23 condition: selection
24falsepositives:
25 - Legitimate piping of the password to anydesk
26 - Some FP could occur with similar tools that uses the same command line '--set-password'
27level: medium
References
Related rules
- Antivirus Exploitation Framework Detection
- Anydesk Temporary Artefact
- DNS Query To AzureWebsites.NET By Non-Browser Process
- GoToAssist Temporary Installation Artefact
- HackTool - Inveigh Execution Artefacts