AnyDesk Network

calendar Mar 18, 2025 · attack.lateral-movement attack.t1133 attack.command-and-control attack.t1219  ·
Share on: linkedin copy

Detects use of AnyDesk

Sigma rule (View on GitHub)

 1title: AnyDesk Network
 2id: b26feb0b-8891-4e66-b2e7-ec91dc045d58
 3status: experimental
 4description: Detects use of AnyDesk
 5author: _pete_0, TheDFIRReport
 6references:
 7    - https://support.anydesk.com/knowledge/firewall
 8date: 2022-05-06
 9modified: 2022-05-06
10logsource:
11    category: dns_query
12    product: windows
13detection:
14    selection:
15        QueryName|contains: '.anydesk.com'
16        Image|endswith: '\anydesk.exe'
17    condition: selection
18falsepositives:
19    - Legitimate AnyDesk installation
20level: high
21tags:
22    - attack.lateral-movement
23    - attack.t1133
24    - attack.command-and-control
25    - attack.t1219
yaml

References

  • Firewall

    Table of Contents AnyDesk clients use the TCP-Ports 80, 443, and 6568 to establish connections. It is however sufficient if just one of these is opened. AnyDesk’s “Discovery” feature uses a free UDP p


    Read More

Related rules

to-top