From 5bf6d9edaff4fffd04459b7b7837c2a2f28febfd Mon Sep 17 00:00:00 2001 From: Daniel Koifman Date: Mon, 23 Dec 2024 12:54:59 +0200 Subject: [PATCH] Delete rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml --- ...s_tools_anydesk_piped_password_via_cli.yml | 26 ------------------- 1 file changed, 26 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml deleted file mode 100644 index b8401e3f6d9..00000000000 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_piped_password_via_cli.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: Remote Access Tool - AnyDesk Piped Password Via CLI -id: b1377339-fda6-477a-b455-ac0923f9ec2c -status: test -description: Detects piping the password to an anydesk instance via CMD and the '--set-password' flag. -references: - - https://redcanary.com/blog/misbehaving-rats/ -author: Nasreddine Bencherchali (Nextron Systems), Daniel Koifman (@KoifSec) -date: 2022-09-28 -modified: 2023-03-05 -tags: - - attack.command-and-control - - attack.t1219 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains: - # Example: C:\WINDOWS\system32\cmd.exe /C cmd.exe /c echo J9kzQ2Y0qO |C:\ProgramData\anydesk.exe --set-password - # Example above will not create a single event, but split each command into its own event. - - '.exe --set-password' - condition: selection -falsepositives: - - Legitimate piping of the password to anydesk - - Some FP could occur with similar tools that uses the same command line '--set-password' -level: medium