Detectionmediumtest

Remote Access Tool - AnyDesk Piped Password Via CLI

Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Nasreddine Bencherchali (Nextron Systems)Created Wed Sep 28Updated Sun Mar 05b1377339-fda6-477a-b455-ac0923f9ec2cwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        CommandLine|contains|all:
            # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password
            - '/c '
            - 'echo '
            - '.exe --set-password'
    condition: selection

False Positives

Legitimate piping of the password to anydesk

Some FP could occur with similar tools that uses the same command line '--set-password'

References

Resolving title…

redcanary.com

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Other

attack.t1219.002

Rule Metadata

Rule ID

b1377339-fda6-477a-b455-ac0923f9ec2c

Status

test

Level

medium

Type

Detection

Created

Wed Sep 28

Modified

Sun Mar 05

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml

Raw Tags

attack.command-and-controlattack.t1219.002

View on GitHub