ICAI Presents

Practice Management Software for the CA Practitioners & CA Firms

anydesk client exploit

CA. Charanjot Singh Nanda

President, ICAI
anydesk client exploit

CA. Prasanna Kumar D

Vice President, ICAI
anydesk client exploit

CA. Madhukar N. Hiregange

Chairman, CMP, ICAI
anydesk client exploit

CA. Satish Kumar Gupta

Vice Chairman, CMP, ICAI

An Advanced Practice Management Software to Enhance Operational Efficiency.
Register for the Practice Management Software

Register Here

Anydesk Client - Exploit

Here’s a and a Sigma rule (for log/sysmon detection) to detect potential exploitation of Anydesk client vulnerabilities (e.g., CVE-2020-13160, improper certificate validation, or RCE attempts). 🔍 YARA Rule – Detect Suspicious Anydesk Payloads rule AnyDesk_Client_Exploit_Indicators meta: description = "Detects known indicators of AnyDesk client exploitation" author = "Threat Intelligence" date = "2024-03-15" reference = "CVE-2020-13160, T1219" severity = "high" strings: $anydesk_exe = "AnyDesk.exe" nocase $anon_connect = "anonymous_connect" fullword $cmd_exec = "CreateProcess" fullword $shellcode_1 = 31 C0 50 68 ?? ?? ?? ?? 68 2E 65 78 65 // typical shellcode pattern $network_connect = "WinHttpOpen" fullword $untrusted_cert = "certificate validation failed" fullword $reg_persistence = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" fullword

condition: ( $anydesk_exe or $anon_connect or $untrusted_cert ) and ( $cmd_exec or $shellcode_1 or $network_connect or $reg_persistence ) title: Suspicious AnyDesk Client Activity id: 1a2b3c4d-5e6f-7890-abcd-ef1234567890 status: experimental description: Detects potential exploitation of AnyDesk client (e.g., CVE-2020-13160) through unusual child processes or command-line arguments. references: - https://nvd.nist.gov/vuln/detail/CVE-2020-13160 - https://attack.mitre.org/techniques/T1219/ logsource: category: process_creation product: windows service: sysmon detection: selection_anydesk: Image|endswith: '\AnyDesk.exe' selection_susp_args: CommandLine|contains: - '--silent' - '--install' - '--start-with-win' - '--service' selection_network: EventID: 3 # Network connection Image|endswith: '\AnyDesk.exe' DestinationPort: - 80 - 443 - 7070 # Default AnyDesk port - 6568 # Alternative selection_parent: ParentImage|endswith: - '\winword.exe' - '\excel.exe' - '\outlook.exe' - '\powershell.exe' - '\cmd.exe' - '\mshta.exe' - '\wscript.exe' condition: (selection_anydesk and selection_susp_args) or (selection_network and selection_parent) falsepositives: - Legitimate silent installation via deployment tools - Administrative use of AnyDesk level: high 🧠 Behavioral Indicators (EDR/SIEM) | Technique | Indicator | |-----------|------------| | Persistence | AnyDesk installed with --silent --install --service | | Lateral movement | AnyDesk.exe spawned by Office apps / script host | | Defense evasion | Certificate validation bypass → self-signed certs | | Remote access | Outbound connections on port 7070/6568 with command-line auth override ( --auth-token ) | ✅ Recommended Hunting Query (KQL example) DeviceProcessEvents | where FileName =~ "AnyDesk.exe" | where ProcessCommandLine has_any ("--silent", "--install", "--service", "--start-with-win") or InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powershell.exe", "cmd.exe", "mshta.exe") | project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName anydesk client exploit