AnyDesk Network

calendar Jan 8, 2023 · attack.lateral_movement attack.t1133 attack.command_and_control attack.t1219  ·
Share on: linkedin copy

Detects use of AnyDesk

Sigma rule (View on GitHub)

 1title: AnyDesk Network
 2id: b26feb0b-8891-4e66-b2e7-ec91dc045d58
 3status: experimental
 4description: Detects use of AnyDesk
 5author: _pete_0, TheDFIRReport
 6references:
 7  - https://support.anydesk.com/knowledge/firewall
 8date: 2022/05/06
 9modified: 2022/05/06
10logsource:
11  category: dns_query
12  product: windows
13detection:
14  selection:
15    QueryName|contains:
16      - '.anydesk.com'
17    Image|endswith:
18      - '\anydesk.exe'
19  condition: selection
20falsepositives:
21  - Legitimate AnyDesk installation
22level: high
23tags:
24  - attack.lateral_movement
25  - attack.t1133
26  - attack.command_and_control
27  - attack.t1219

References

  • Firewall

    Table of Contents AnyDesk clients use the TCP-Ports 80, 443, and 6568 to establish connections. It is however sufficient if just one of these is opened. AnyDesk’s “Discovery” feature uses a free port


    Read More

Related rules

to-top