Skip to content

Add rule net_connection_win_anydesk_accepted_incoming_connection #4897

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Add rule net_connection_win_anydesk_accepted_incoming_connection #4897

wants to merge 2 commits into from

Conversation

@dan21san
Copy link
Contributor

@dan21san dan21san commented Jul 2, 2024

Summary of the Pull Request

Add a new detection rule about detection of incoming and accepted connections via the remote connection tool AnyDesk. This could be a sign of persistence and C2 activities.

Changelog

Example Log Event

I am not sure to have used the correct field direction. Im using Elastic and for sysmon events the associated field is network.direction.

This field is fundamental for the rule.

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions bot added Rules Windows Pull request add/update windows related rules labels Jul 2, 2024
@dan21san
Copy link
Contributor Author

dan21san commented Jul 2, 2024

I think the problem is direction: 'ingress' . How this could be fix?

@nasbench
Copy link
Member

nasbench commented Jul 2, 2024

I think the problem is direction: 'ingress' . How this could be fix?

The rule is using fields and values generated by the elastic agent / siem. This would qualify this as a rule that can "only" be used by such a tool. Can you link to another EDR or collection agent that have these kind of enrichment?

It doesn't make sense (most of the time) to create a Sigma rule that can only be converted to a single backend. (we try to avoid those when possible).

I'll evaluate and review the usefulness of the rule regardless and see if we can add it to the set with a definition section. But please try and link other solutions :)

@nasbench nasbench added Work In Progress Some changes are needed Author Input Required changes the require information from original author of the rules labels Jul 2, 2024
@nasbench nasbench self-assigned this Jul 2, 2024
@nasbench nasbench marked this pull request as draft July 3, 2024 12:44
@nasbench nasbench added the Not-Possible The rule cannot be accepted or implemented from the information provided label Aug 1, 2024
@nasbench
Copy link
Member

nasbench commented Aug 1, 2024

Closing this due to inactivity for now.

Further information is required and internal discussion needs to be made

@nasbench nasbench closed this Aug 1, 2024
@dan21san dan21san mentioned this pull request Aug 30, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@nasbench nasbench

Labels

Author Input Required changes the require information from original author of the rules Not-Possible The rule cannot be accepted or implemented from the information provided Rules Windows Pull request add/update windows related rules Work In Progress Some changes are needed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dan21san @nasbench