Anydesk Remote Access Software Service Installation

Severity: medium
Author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.

Event coverage

Provider	Event ID	Title
Service-Control-Manager	7045

Stages and Predicates

Stage 1: `all of selection_provider`

Provider_Name: 'Service Control Manager'

Stage 2: `all of selection_service`

or:
ServiceName|contains: AnyDesk
ServiceName|contains: Service
ImagePath|contains: AnyDesk

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ImagePath`	match	`AnyDesk`
`Provider_Name`	eq	`Service Control Manager` corpus 43 (sigma 43)
`ServiceName`	match	`AnyDesk` corpus 2 (sigma 2) `Service`

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Invoke-Obfuscation Via Use Rundll32 - System [sigma] (adds 5 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System [sigma] (adds 5 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation VAR+ Launcher - System [sigma] (adds 4 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation COMPRESS OBFUSCATION - System [sigma] (adds 4 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation RUNDLL LAUNCHER - System [sigma] (adds 4 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation CLIP+ Launcher - System [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation STDIN+ Launcher - System [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Stdin - System [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Use MSHTA - System [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
ProcessHacker Privilege Elevation [sigma] (adds 2 filters) (first-stage match only; downstream stages may differ)
Invoke-Obfuscation Via Use Clip - System [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Credential Dumping Tools Service Execution - System [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Moriya Rootkit - System [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
PowerShell Scripts Installed as Services [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Service Installed By Unusual Client - System [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Suspicious Service Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Tap Driver Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
RTCore Suspicious Service Installation [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)
Service Installation in Suspicious Folder [sigma] (adds 1 filter) (first-stage match only; downstream stages may differ)

Broader alternatives (more inclusive than this rule)

These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.

Invoke-Obfuscation Obfuscated IEX Invocation - System [sigma] (drops 1 filter this rule applies) (first-stage match only; downstream stages may differ)