Detectionmediumtest
Anydesk Remote Access Software Service Installation
Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)Created Thu Aug 11Updated Mon Feb 24530a6faa-ff3d-4022-b315-50828e77eef5windows
Log Source
Windowssystem
ProductWindows← raw: windows
Servicesystem← raw: system
Detection Logic
Detection Logic2 selectors
detection:
selection_provider:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ServiceName|contains|all:
- 'AnyDesk' # Covers both AnyDesk Service and AnyDesk MSI Service
- 'Service'
- ImagePath|contains: 'AnyDesk'
condition: all of selection_*False Positives
Legitimate usage of the anydesk tool
MITRE ATT&CK
Tactics
Rule Metadata
Rule ID
530a6faa-ff3d-4022-b315-50828e77eef5
Status
test
Level
medium
Type
Detection
Created
Thu Aug 11
Modified
Mon Feb 24
Path
rules/windows/builtin/system/service_control_manager/win_system_service_install_anydesk.yml
Raw Tags
attack.persistence