The Anydesk Temporary Artefact rule detects the potential use of legitimate remote access tools to establish an interactive command and control channel by adversaries. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage persistent access attempts that could lead to long-term compromise.
Detection Rule
title: Anydesk Temporary Artefact
id: 0b9ad457-2554-44c1-82c2-d56a99c42377
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
author: frack113
date: 2022-02-11
modified: 2024-07-20
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains:
- '\AppData\Roaming\AnyDesk\user.conf'
- '\AppData\Roaming\AnyDesk\system.conf'
condition: selection
falsepositives:
- Legitimate use
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_anydesk_artefact/info.yml
imFileEvent
| where TargetFileName contains "\\AppData\\Roaming\\AnyDesk\\user.conf" or TargetFileName contains "\\AppData\\Roaming\\AnyDesk\\system.conf"Scenario: IT Department Performing Remote Support
Description: IT staff use Anydesk to provide remote support to end-users, which is a legitimate use case.
Filter/Exclusion: Exclude processes initiated by IT service accounts or from known IT support IP ranges. Example: process.parent_process.name == "Anydesk" AND process.user == "it-support" OR source_ip IN ("192.168.1.0/24")
Scenario: Scheduled Maintenance Task Using Anydesk
Description: A scheduled task runs Anydesk to perform system updates or configuration changes on remote machines.
Filter/Exclusion: Exclude processes associated with scheduled tasks (e.g., task scheduler or at.exe) or with known maintenance scripts. Example: process.parent_process.name == "schtasks.exe" OR process.command_line LIKE "%maintenance%"
Scenario: Admin Using Anydesk for System Monitoring
Description: An administrator uses Anydesk to monitor system performance or check on remote servers.
Filter/Exclusion: Exclude processes initiated by admin accounts with elevated privileges or from known monitoring tools. Example: process.user == "Administrator" AND process.parent_process.name == "Anydesk" OR process.name == "Performance Monitor"
Scenario: Anydesk Used for Software Deployment
Description: IT uses Anydesk to push software updates or patches to remote endpoints.
Filter/Exclusion: Exclude processes that are part of a known deployment tool or have a specific deployment command line. Example: process.command_line LIKE "%deploy%" OR process.name == "DeploymentTool.exe"
Scenario: Anydesk Used for Remote Desktop Access
Description: Employees use Anydesk to access their work desktops from home, which is a common remote access scenario.
Filter/Exclusion: Exclude processes that originate from known internal IP ranges