cscli scenarios install sigmahq/proc_creation_win_remote_access_tools_anydesk_susp_exec1type: trigger2name: sigmahq/proc_creation_win_remote_access_tools_anydesk_susp_exec3description: |4 An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)5filter: |6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\AnyDesk.exe' || evt.Parsed.Description == 'AnyDesk' || evt.Parsed.Product == 'AnyDesk' || evt.Parsed.Company == 'AnyDesk Software GmbH') && not (evt.Parsed.Image contains '\\AppData\\' || evt.Parsed.Image contains 'Program Files (x86)\\AnyDesk' || evt.Parsed.Image contains 'Program Files\\AnyDesk'))7blackhole: 2m8#status: test9labels:10 service: windows11 confidence: 112 spoofable: 013 classification:14 - attack.t12191516 label: "Remote Access Tool - Anydesk Execution From Suspicious Folder"17 behavior : "windows:audit"18 remediation: false1920scope:21 type: ParentProcessId22 expression: evt.Parsed.ParentProcessId2324