From a296bfe667a4ef522c5782ae5afc19f55a4daa8c Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Tue, 24 May 2022 15:19:45 +0200
Subject: [PATCH] rule: suspicious anydesk start location

---
 .../proc_creation_win_anydesk_susp_folder.yml | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml

diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml
new file mode 100644
index 000000000..275c219cf
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml
@@ -0,0 +1,32 @@
+title: Use of Anydesk Remote Access Software from Suspicious Folder
+id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86
+status: experimental
+description: |
+  An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
+  These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
+  Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) 
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows
+author: Florian Roth
+date: 2022/05/20
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith: '\AnyDesk.exe'
+        - Description: AnyDesk
+        - Product: AnyDesk
+        - Company: AnyDesk Software GmbH
+    filter:
+        Image|contains:
+            - '\\AppData\\'
+            - 'Program Files (x86)\\AnyDesk'
+            - 'Program Files\\AnyDesk'
+    condition: selection and not filter
+falsepositives:
+    - Legitimate use of AnyDesk from a non-standard folder
+level: high
+tags:
+    - attack.command_and_control
+    - attack.t1219