From f3afba92ee9d55f4773c3f8e5dd95b0bb5c8eb83 Mon Sep 17 00:00:00 2001 From: Degasperi Date: Tue, 2 Jul 2024 14:58:13 +0200 Subject: [PATCH 1/2] Add rule net_connection_win_anydesk_accepted_incoming_connection --- ...n_anydesk_accepted_incoming_connection.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/network_connection/net_connection_win_anydesk_accepted_incoming_connection.yml diff --git a/rules/windows/network_connection/net_connection_win_anydesk_accepted_incoming_connection.yml b/rules/windows/network_connection/net_connection_win_anydesk_accepted_incoming_connection.yml new file mode 100644 index 00000000000..dcdf5e5de2e --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_anydesk_accepted_incoming_connection.yml @@ -0,0 +1,26 @@ +title: AnyDesk Accepted Incoming Connection +id: d58ba5c6-0ed7-4b9d-a433-6878379efda9 +status: experimental +description: Detects accepted incoming connections via AnyDesk. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows +author: '@d4ns4n_ (Wuerth-Phoenix)' +date: 2024/07/02 +tags: + - attack.persistence + - attack.command_and_control + - attack.t1219 +logsource: + category: network_connection + product: windows +detection: + selection: + Image|endswith: '\AnyDesk.exe' + direction: 'ingress' + action: + - 'connection_accepted' + - 'network connection' + condition: selection +falsepositives: + - Legitimate incoming connections on the monitored machine via AnyDesk (most of the time I would expect outgoing connections). +level: high From 8d41f998a5b7d4d9797a12ec5154f9992e1caf14 Mon Sep 17 00:00:00 2001 From: dan21san <98960305+dan21san@users.noreply.github.com> Date: Tue, 2 Jul 2024 15:12:28 +0200 Subject: [PATCH 2/2] fix trailing spaces --- ...et_connection_win_anydesk_accepted_incoming_connection.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/network_connection/net_connection_win_anydesk_accepted_incoming_connection.yml b/rules/windows/network_connection/net_connection_win_anydesk_accepted_incoming_connection.yml index dcdf5e5de2e..d796118898b 100644 --- a/rules/windows/network_connection/net_connection_win_anydesk_accepted_incoming_connection.yml +++ b/rules/windows/network_connection/net_connection_win_anydesk_accepted_incoming_connection.yml @@ -1,7 +1,7 @@ title: AnyDesk Accepted Incoming Connection id: d58ba5c6-0ed7-4b9d-a433-6878379efda9 status: experimental -description: Detects accepted incoming connections via AnyDesk. +description: Detects accepted incoming connections via AnyDesk. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: '@d4ns4n_ (Wuerth-Phoenix)' @@ -22,5 +22,5 @@ detection: - 'network connection' condition: selection falsepositives: - - Legitimate incoming connections on the monitored machine via AnyDesk (most of the time I would expect outgoing connections). + - Legitimate incoming connections on the monitored machine via AnyDesk (most of the time I would expect outgoing connections). level: high