Remote Access Tool - AnyDesk Incoming Connection

Rule Info

Name
Remote Access Tool - AnyDesk Incoming Connection
Author
@d4ns4n_ (Wuerth-Phoenix)
Description
Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
Reference
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
Date
2024-09-02 00:00:00
Modified
None
Id
d58ba5c6-0ed7-4b9d-a433-6878379efda9
Tags
attack.persistence attack.command-and-control attack.t1219 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=d58ba5c6-0ed7-4b9d-a433-6878379efda9

Rule History

Author
Title
Date
Commit
dan21san
Merge PR #4990 from @dan21san - Add `Remote Access Tool - AnyDesk Incoming Connection`
2024-09-02
bd284a997
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022