From 6ddf2a2f07bc06e831f9b80c7bf9008bd4c32b7e Mon Sep 17 00:00:00 2001 From: Degasperi Date: Fri, 30 Aug 2024 09:48:52 +0200 Subject: [PATCH 1/4] Add rule net_connection_win_anydesk_incoming_connection --- ...ection_win_anydesk_incoming_connection.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/network_connection/net_connection_win_anydesk_incoming_connection.yml diff --git a/rules/windows/network_connection/net_connection_win_anydesk_incoming_connection.yml b/rules/windows/network_connection/net_connection_win_anydesk_incoming_connection.yml new file mode 100644 index 00000000000..cf3cbb11fb5 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_anydesk_incoming_connection.yml @@ -0,0 +1,26 @@ +title: AnyDesk Incoming Connection +id: d58ba5c6-0ed7-4b9d-a433-6878379efda9 +status: experimental +description: | + Detects incoming connections via AnyDesk. + This could indicate the enstablish of a potential command and control channel. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows + - https://asec.ahnlab.com/en/40263/ +author: '@d4ns4n_ (Wuerth-Phoenix)' +date: 2024/07/02 +tags: + - attack.persistence + - attack.command_and_control + - attack.t1219 +logsource: + category: network_connection + product: windows +detection: + selection: + Image|endswith: '\AnyDesk.exe' + Initiated: 'false' # If the network connection is initiated remotely (incoming), the field is set to false. + condition: selection +falsepositives: + - Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally). +level: high From 7efafd541d3cd815d704c8ad44dd96ba7d8be8d5 Mon Sep 17 00:00:00 2001 From: dan21san <98960305+dan21san@users.noreply.github.com> Date: Fri, 30 Aug 2024 09:59:05 +0200 Subject: [PATCH 2/4] Update net_connection_win_anydesk_incoming_connection.yml Fix the date field --- .../net_connection_win_anydesk_incoming_connection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/net_connection_win_anydesk_incoming_connection.yml b/rules/windows/network_connection/net_connection_win_anydesk_incoming_connection.yml index cf3cbb11fb5..913da929363 100644 --- a/rules/windows/network_connection/net_connection_win_anydesk_incoming_connection.yml +++ b/rules/windows/network_connection/net_connection_win_anydesk_incoming_connection.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows - https://asec.ahnlab.com/en/40263/ author: '@d4ns4n_ (Wuerth-Phoenix)' -date: 2024/07/02 +date: 2024-08-30 tags: - attack.persistence - attack.command_and_control From 7b299d53a3807061b9a38562f0caac581e94dbc9 Mon Sep 17 00:00:00 2001 From: dan21san <98960305+dan21san@users.noreply.github.com> Date: Fri, 30 Aug 2024 10:05:47 +0200 Subject: [PATCH 3/4] Update net_connection_win_anydesk_incoming_connection.yml Fix tags --- .../net_connection_win_anydesk_incoming_connection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/net_connection_win_anydesk_incoming_connection.yml b/rules/windows/network_connection/net_connection_win_anydesk_incoming_connection.yml index 913da929363..6d3a44eb1ac 100644 --- a/rules/windows/network_connection/net_connection_win_anydesk_incoming_connection.yml +++ b/rules/windows/network_connection/net_connection_win_anydesk_incoming_connection.yml @@ -11,7 +11,7 @@ author: '@d4ns4n_ (Wuerth-Phoenix)' date: 2024-08-30 tags: - attack.persistence - - attack.command_and_control + - attack.command-and-control - attack.t1219 logsource: category: network_connection From d26f3b56719087e0fb5994a79ab27b759f8f2c3a Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Mon, 2 Sep 2024 13:27:15 +0200 Subject: [PATCH 4/4] metadata update --- ..._remote_access_tools_anydesk_incoming_connection.yml} | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) rename rules/windows/network_connection/{net_connection_win_anydesk_incoming_connection.yml => net_connection_win_remote_access_tools_anydesk_incoming_connection.yml} (74%) diff --git a/rules/windows/network_connection/net_connection_win_anydesk_incoming_connection.yml b/rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml similarity index 74% rename from rules/windows/network_connection/net_connection_win_anydesk_incoming_connection.yml rename to rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml index 6d3a44eb1ac..4583e2b3f70 100644 --- a/rules/windows/network_connection/net_connection_win_anydesk_incoming_connection.yml +++ b/rules/windows/network_connection/net_connection_win_remote_access_tools_anydesk_incoming_connection.yml @@ -1,14 +1,13 @@ -title: AnyDesk Incoming Connection +title: Remote Access Tool - AnyDesk Incoming Connection id: d58ba5c6-0ed7-4b9d-a433-6878379efda9 status: experimental description: | - Detects incoming connections via AnyDesk. - This could indicate the enstablish of a potential command and control channel. + Detects incoming connections to AnyDesk. This could indicate a potential remote attacker trying to connect to a listening instance of AnyDesk and use it as potential command and control channel. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows - https://asec.ahnlab.com/en/40263/ author: '@d4ns4n_ (Wuerth-Phoenix)' -date: 2024-08-30 +date: 2024-09-02 tags: - attack.persistence - attack.command-and-control @@ -23,4 +22,4 @@ detection: condition: selection falsepositives: - Legitimate incoming connections (e.g. sysadmin activity). Most of the time I would expect outgoing connections (initiated locally). -level: high +level: medium