Skip to content

Commit

Permalink
Update proc_creation_win_remote_access_tools_anydesk_piped_password_v…
Browse files Browse the repository at this point in the history
…ia_cli.yml
  • Loading branch information
DanielKoifman committed Dec 23, 2024
1 parent 71b37e3 commit 3d81de6
Showing 1 changed file with 3 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ status: test
description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.
references:
- https://redcanary.com/blog/misbehaving-rats/
author: Nasreddine Bencherchali (Nextron Systems)
author: Nasreddine Bencherchali (Nextron Systems), Daniel Koifman (@KoifSec)
date: 2022-09-28
modified: 2023-03-05
tags:
Expand All @@ -15,10 +15,9 @@ logsource:
product: windows
detection:
selection:
CommandLine|contains|all:
CommandLine|contains:
# Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password
- '/c '
- 'echo '
# Example above will not create a single event, but split each command into its own event.
- '.exe --set-password'
condition: selection
falsepositives:
Expand Down

0 comments on commit 3d81de6

Please sign in to comment.