Remote Access Tool - AnyDesk Piped Password Via CLI
Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
Sigma rule (View on GitHub)
1title: Remote Access Tool - AnyDesk Piped Password Via CLI
2id: b1377339-fda6-477a-b455-ac0923f9ec2c
3status: test
4description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
5references:
6 - https://redcanary.com/blog/misbehaving-rats/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/09/28
9modified: 2023/03/05
10tags:
11 - attack.command_and_control
12 - attack.t1219
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 CommandLine|contains|all:
19 # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password
20 - '/c '
21 - 'echo '
22 - '.exe --set-password'
23 condition: selection
24falsepositives:
25 - Legitimate piping of the password to anydesk
26 - Some FP could occur with similar tools that uses the same command line '--set-password'
27level: medium
References
-
Ransomware operators frequently abuse RATs like NetSupport, Remote Utilities, ScreenConnect, and Anydesk. Here's what to look out for.
Read More
Related rules
- Potential SocGholish Second Stage C2 DNS Query
- Remote Access Tool - Anydesk Execution From Suspicious Folder
- Remote Access Tool - NetSupport Execution
- Potential Amazon SSM Agent Hijacking
- Potential Linux Amazon SSM Agent Hijacking