From 710afb39ab42048ca04747f14285910c64dbe18a Mon Sep 17 00:00:00 2001 From: Daniel Koifman Date: Wed, 25 Dec 2024 08:51:34 +0200 Subject: [PATCH 1/3] Create proc_creation_win_remote_access_tools_anydesk_set_password_via_cli.yml --- ...ess_tools_anydesk_set_password_via_cli.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_set_password_via_cli.yml diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_set_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_set_password_via_cli.yml new file mode 100644 index 00000000000..4ee6bac7234 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_set_password_via_cli.yml @@ -0,0 +1,26 @@ +title: Remote Access Tool - Potential AnyDesk Set Password Via CLI +id: b1377339-fda6-477a-b455-ac0923f9ec2c +related: + - id: b1377339-fda6-477a-b455-ac0923f9ec2c + type: similar +status: test +description: Detects setting the password on an anydesk instance via CMD and the '--set-password' flag. +references: + - https://redcanary.com/blog/misbehaving-rats/ + - https://www.fox-it.com/nl-en/research-blog/the-dark-side-how-threat-actors-leverage-anydesk-for-malicious-activities/ +author: Nasreddine Bencherchali (Nextron Systems), Daniel Koifman('@KoifSec') +date: 2024-12-25 +tags: + - attack.command-and-control + - attack.t1219 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: '.exe --set-password' # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password + condition: selection +falsepositives: + - Legitimate password setting operation on anydesk + - Some FP could occur with similar tools that uses the same command line '--set-password' +level: medium From f4a3c709351da82c3f5d33912ce4cf2ea5956705 Mon Sep 17 00:00:00 2001 From: Daniel Koifman Date: Thu, 2 Jan 2025 09:47:12 +0200 Subject: [PATCH 2/3] Update rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_set_password_via_cli.yml Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- ...ion_win_remote_access_tools_anydesk_set_password_via_cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_set_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_set_password_via_cli.yml index 4ee6bac7234..7dfeb848e2a 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_set_password_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_set_password_via_cli.yml @@ -3,7 +3,7 @@ id: b1377339-fda6-477a-b455-ac0923f9ec2c related: - id: b1377339-fda6-477a-b455-ac0923f9ec2c type: similar -status: test +status: experimental description: Detects setting the password on an anydesk instance via CMD and the '--set-password' flag. references: - https://redcanary.com/blog/misbehaving-rats/ From 3e886bb003d701106273f6dc22d9f1fde7000e37 Mon Sep 17 00:00:00 2001 From: Daniel Koifman Date: Thu, 2 Jan 2025 09:50:22 +0200 Subject: [PATCH 3/3] Update proc_creation_win_remote_access_tools_anydesk_set_password_via_cli.yml update GUID --- ...ion_win_remote_access_tools_anydesk_set_password_via_cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_set_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_set_password_via_cli.yml index 7dfeb848e2a..ec4bf721af3 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_set_password_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_set_password_via_cli.yml @@ -1,5 +1,5 @@ title: Remote Access Tool - Potential AnyDesk Set Password Via CLI -id: b1377339-fda6-477a-b455-ac0923f9ec2c +id: f6dd423a-8f9a-4ec2-bfed-a87a992bc996 related: - id: b1377339-fda6-477a-b455-ac0923f9ec2c type: similar