Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
Sigma rule (View on GitHub)
1title: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
2id: 41f407b5-3096-44ea-a74f-96d04fbc41be
3status: experimental
4description: |
5 Detects the execution of an AnyDesk binary with a version prior to 8.0.8.
6 Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.
7 Use this rule to detect instances of older versions of Anydesk using the compromised certificate
8 This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
9references:
10 - https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/
11 - https://anydesk.com/en/changelog/windows
12author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems)
13date: 2024-02-08
14tags:
15 - attack.execution
16 - attack.initial-access
17logsource:
18 product: windows
19 category: process_creation
20detection:
21 selection_img:
22 - Image|endswith: '\AnyDesk.exe'
23 - Description: 'AnyDesk'
24 - Product: 'AnyDesk'
25 - Company: 'AnyDesk Software GmbH'
26 selection_version:
27 FileVersion|startswith:
28 - '7.0.'
29 - '7.1.'
30 - '8.0.1'
31 - '8.0.2'
32 - '8.0.3'
33 - '8.0.4'
34 - '8.0.5'
35 - '8.0.6'
36 - '8.0.7'
37 filter_main_uninstall:
38 CommandLine|contains:
39 - ' --remove'
40 - ' --uninstall'
41 condition: all of selection_* and not 1 of filter_main_*
42falsepositives:
43 - Unlikely
44level: medium
References
-
AnyDesk confirmed today that it suffered a recent cyberattack that allowed hackers to gain access to the company's production systems. BleepingComputer has learned that source code and private code signing keys were stolen during the attack.
Read More -
The AnyDesk Changelog keeps you updated about the latest versions of our software for Windows.
Read More
Related rules
- Arbitrary Shell Command Execution Via Settingcontent-Ms
- Atlassian Confluence CVE-2022-26134
- DNS RCE CVE-2020-1350
- Download From Suspicious TLD - Blacklist
- Download From Suspicious TLD - Whitelist