Detectionmediumexperimental
Remote Access Tool - AnyDesk Incoming Connection
Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Created Mon Sep 02Updated Mon Feb 24d58ba5c6-0ed7-4b9d-a433-6878379efda9windows
Log Source
WindowsNetwork Connection
ProductWindows← raw: windows
CategoryNetwork Connection← raw: network_connection
Events for outbound and inbound network connections including DNS resolution.
Detection Logic
Detection Logic1 selector
detection:
selection:
Image|endswith:
- '\AnyDesk.exe'
- '\AnyDeskMSI.exe'
Initiated: 'false' # If the network connection is initiated remotely (incoming), the field is set to false.
condition: selectionFalse Positives
Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally).
MITRE ATT&CK
Other
attack.t1219.002
Rule Metadata
Rule ID
d58ba5c6-0ed7-4b9d-a433-6878379efda9
Status
experimental
Level
medium
Type
Detection
Created
Mon Sep 02
Modified
Mon Feb 24
Path
rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml
Raw Tags
attack.persistenceattack.command-and-controlattack.t1219.002