title: Suspicious Binary Writes Via AnyDesk
id: 2d367498-5112-4ae5-a06a-96e7bc33a211
status: test
description: |
    Detects AnyDesk writing binary files to disk other than "gcapi.dll".
    According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,
    which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
references:
    - https://redcanary.com/blog/misbehaving-rats/
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-28
modified: 2025-02-24
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\AnyDesk.exe'
            - '\AnyDeskMSI.exe'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_dlls:
        TargetFilename|endswith: '\gcapi.dll'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high

title: Remote Access Tool - Anydesk Execution From Suspicious Folder
id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86
related:
    - id: b52e84a3-029e-4529-b09b-71d19dd27e94
      type: similar
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-05-20
modified: 2025-02-24
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\AnyDesk.exe'
              - '\AnyDeskMSI.exe'
        - Description: AnyDesk
        - Product: AnyDesk
        - Company: AnyDesk Software GmbH
    filter:
        Image|contains:
            - '\AppData\'
            - 'Program Files (x86)\AnyDesk'
            - 'Program Files\AnyDesk'
    condition: selection and not filter
falsepositives:
    - Legitimate use of AnyDesk from a non-standard folder
level: high

title: Remote Access Tool - AnyDesk Silent Installation
id: 114e7f1c-f137-48c8-8f54-3088c24ce4b9
status: test
description: Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.
references:
    - https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20
    - https://support.anydesk.com/Automatic_Deployment
author: Ján Trenčanský
date: 2021-08-06
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - '--install'
            - '--start-with-win'
            - '--silent'
    condition: selection
falsepositives:
    - Legitimate deployment of AnyDesk
level: high

title: Remote Access Tool - AnyDesk Incoming Connection
id: d58ba5c6-0ed7-4b9d-a433-6878379efda9
status: experimental
description: |
    Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
    - https://asec.ahnlab.com/en/40263/
author: '@d4ns4n_ (Wuerth-Phoenix)'
date: 2024-09-02
modified: 2025-02-24
tags:
    - attack.persistence
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith:
            - '\AnyDesk.exe'
            - '\AnyDeskMSI.exe'
        Initiated: 'false' # If the network connection is initiated remotely (incoming), the field is set to false.
    condition: selection
falsepositives:
    - Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally).
level: medium

title: Anydesk Temporary Artefact
id: 0b9ad457-2554-44c1-82c2-d56a99c42377
status: test
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
author: frack113
date: 2022-02-11
modified: 2024-07-20
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: file_event
    product: windows
detection:
    selection:
        TargetFilename|contains:
            - '\AppData\Roaming\AnyDesk\user.conf'
            - '\AppData\Roaming\AnyDesk\system.conf'
    condition: selection
falsepositives:
    - Legitimate use
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_anydesk_artefact/info.yml

title: Remote Access Tool - AnyDesk Piped Password Via CLI
id: b1377339-fda6-477a-b455-ac0923f9ec2c
status: test
description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
references:
    - https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-28
modified: 2023-03-05
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password
            - '/c '
            - 'echo '
            - '.exe --set-password'
    condition: selection
falsepositives:
    - Legitimate piping of the password to anydesk
    - Some FP could occur with similar tools that uses the same command line '--set-password'
level: medium

title: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
id: 41f407b5-3096-44ea-a74f-96d04fbc41be
status: test
description: |
    Detects the execution of an AnyDesk binary with a version prior to 8.0.8.
    Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.
    Use this rule to detect instances of older versions of Anydesk using the compromised certificate
    This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
references:
    - https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/
    - https://anydesk.com/en/changelog/windows
author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-08
tags:
    - attack.execution
    - attack.initial-access
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\AnyDesk.exe'
        - Description: 'AnyDesk'
        - Product: 'AnyDesk'
        - Company: 'AnyDesk Software GmbH'
    selection_version:
        FileVersion|startswith:
            - '7.0.'
            - '7.1.'
            - '8.0.1'
            - '8.0.2'
            - '8.0.3'
            - '8.0.4'
            - '8.0.5'
            - '8.0.6'
            - '8.0.7'
    filter_main_uninstall:
        CommandLine|contains:
            - ' --remove'
            - ' --uninstall'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: medium

title: Remote Access Tool - AnyDesk Execution
id: b52e84a3-029e-4529-b09b-71d19dd27e94
status: test
related:
    - id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86
      type: similar
description: |
    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: frack113
date: 2022-02-11
modified: 2025-02-24
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|endswith:
              - '\AnyDesk.exe'
              - '\AnyDeskMSI.exe'
        - Description: AnyDesk
        - Product: AnyDesk
        - Company: AnyDesk Software GmbH
    condition: selection
falsepositives:
    - Legitimate use
level: medium

title: Anydesk Remote Access Software Service Installation
id: 530a6faa-ff3d-4022-b315-50828e77eef5
status: test
description: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
references:
    - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-08-11
modified: 2025-02-24
tags:
    - attack.persistence
logsource:
    product: windows
    service: system
detection:
    selection_provider:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    selection_service:
        - ServiceName|contains|all:
              - 'AnyDesk' # Covers both AnyDesk Service and AnyDesk MSI Service
              - 'Service'
        - ImagePath|contains: 'AnyDesk'
    condition: all of selection_*
falsepositives:
    - Legitimate usage of the anydesk tool
level: medium