Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate

Severity: medium
Author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems)
Source: upstream

Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rule to detect instances of older versions of Anydesk using the compromised certificate This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Company: 'AnyDesk Software GmbH'
Description: AnyDesk
Image|endswith: '\AnyDesk.exe'
Product: AnyDesk

Stage 2: `all of selection_version`

or:
FileVersion|startswith: 7.0.
FileVersion|startswith: 7.1.
FileVersion|startswith: 8.0.1
FileVersion|startswith: 8.0.2
FileVersion|startswith: 8.0.3
FileVersion|startswith: 8.0.4
FileVersion|startswith: 8.0.5
FileVersion|startswith: 8.0.6
FileVersion|startswith: 8.0.7

Stage 3: `not 1 of filter_main_uninstall`

or:
CommandLine|contains: ' --remove'
CommandLine|contains: ' --uninstall'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`--remove` `--uninstall`
`Company`	eq	`AnyDesk Software GmbH` corpus 3 (sigma 3)
`Description`	eq	`AnyDesk` corpus 3 (sigma 3)
`FileVersion`	starts_with	`7.0.` `7.1.` `8.0.1` `8.0.2` `8.0.3` `8.0.4` `8.0.5` `8.0.6` `8.0.7`
`Image`	ends_with	`\AnyDesk.exe` corpus 5 (sigma 5)
`Product`	eq	`AnyDesk` corpus 3 (sigma 3)