cscli scenarios install sigmahq/proc_creation_win_remote_access_tools_anydesk_silent_install1type: trigger2name: sigmahq/proc_creation_win_remote_access_tools_anydesk_silent_install3description: |4 Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.CommandLine contains '--install' && evt.Parsed.CommandLine contains '--start-with-win' && evt.Parsed.CommandLine contains '--silent')7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t12191516 label: "Remote Access Tool - AnyDesk Silent Installation"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324