Remote Access Tool - AnyDesk Silent Installation

 1title: Remote Access Tool - AnyDesk Silent Installation
 2id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9
 3status: test
 4description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
 5references:
 6    - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
 7    - https://support.anydesk.com/Automatic_Deployment
 8author: Ján Trenčanský
 9date: 2021/08/06
10modified: 2023/03/05
11tags:
12    - attack.command_and_control
13    - attack.t1219
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|contains|all:
20            - '--install'
21            - '--start-with-win'
22            - '--silent'
23    condition: selection
24fields:
25    - CommandLine
26    - ParentCommandLine
27    - CurrentDirectory
28falsepositives:
29    - Legitimate deployment of AnyDesk
30level: high

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• https://support.anydesk.com/Automatic_Deployment

  
  Read More

Related rules

• Remote Access Tool - AnyDesk Execution
• Remote Access Tool - GoToAssist Execution
• Remote Access Tool - LogMeIn Execution
• Remote Access Tool - ScreenConnect Execution
• Antivirus Exploitation Framework Detection