Remote Access Tool - AnyDesk Incoming Connection

Rule Info

Name
Remote Access Tool - AnyDesk Incoming Connection
Author
@d4ns4n_ (Wuerth-Phoenix)
Description
Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
Reference
https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
Date
2024-09-02 00:00:00
Modified
2025-02-24 00:00:00
Id
d58ba5c6-0ed7-4b9d-a433-6878379efda9
Tags
attack.persistence attack.command-and-control attack.t1219.002
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=d58ba5c6-0ed7-4b9d-a433-6878379efda9

Rule History

Author
Title
Date
Commit
phantinuss
Merge PR #5477 from @phantinuss - chore: update MITRE tag t1219 to t1219.002
2025-06-13
dfed136f1
Swachchhanda Shrawan Poudel
Merge PR #5207 from @swachchhanda000 - Updated Anydesk related rules
2025-03-05
f78491613
dan21san
Merge PR #4990 from @dan21san - Add `Remote Access Tool - AnyDesk Incoming Connection`
2024-09-02
bd284a997
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022