← Back to SOC feed Coverage →

Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate

sigma MEDIUM SigmaHQ
imProcessCreate
evasion
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-18T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects the execution of an AnyDesk binary with a version prior to 8.0.8. Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors. Use this rul

Detection Rule

Sigma (Original)

title: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
id: 41f407b5-3096-44ea-a74f-96d04fbc41be
status: test
description: |
    Detects the execution of an AnyDesk binary with a version prior to 8.0.8.
    Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.
    Use this rule to detect instances of older versions of Anydesk using the compromised certificate
    This is recommended in order to avoid attackers leveraging the certificate and signing their binaries to bypass detections.
references:
    - https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/
    - https://anydesk.com/en/changelog/windows
author: Sai Prashanth Pulisetti, Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-08
tags:
    - attack.execution
    - attack.initial-access
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith: '\AnyDesk.exe'
        - Description: 'AnyDesk'
        - Product: 'AnyDesk'
        - Company: 'AnyDesk Software GmbH'
    selection_version:
        FileVersion|startswith:
            - '7.0.'
            - '7.1.'
            - '8.0.1'
            - '8.0.2'
            - '8.0.3'
            - '8.0.4'
            - '8.0.5'
            - '8.0.6'
            - '8.0.7'
    filter_main_uninstall:
        CommandLine|contains:
            - ' --remove'
            - ' --uninstall'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unlikely
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where ((TargetProcessName endswith "\\AnyDesk.exe" or TargetProcessFileDescription =~ "AnyDesk" or TargetProcessFileProduct =~ "AnyDesk" or TargetProcessFileCompany =~ "AnyDesk Software GmbH") and (TargetProcessFileVersion startswith "7.0." or TargetProcessFileVersion startswith "7.1." or TargetProcessFileVersion startswith "8.0.1" or TargetProcessFileVersion startswith "8.0.2" or TargetProcessFileVersion startswith "8.0.3" or TargetProcessFileVersion startswith "8.0.4" or TargetProcessFileVersion startswith "8.0.5" or TargetProcessFileVersion startswith "8.0.6" or TargetProcessFileVersion startswith "8.0.7")) and (not((TargetProcessCommandLine contains " --remove" or TargetProcessCommandLine contains " --uninstall")))

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml