← Back to Explore
sigmamediumHunting
Anydesk Remote Access Software Service Installation
Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
Detection Query
selection_provider:
Provider_Name: Service Control Manager
EventID: 7045
selection_service:
- ServiceName|contains|all:
- AnyDesk
- Service
- ImagePath|contains: AnyDesk
condition: all of selection_*
Author
Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
Created
2022-08-11
Data Sources
windowssystem
Platforms
windows
References
Tags
attack.persistence
Raw Content
title: Anydesk Remote Access Software Service Installation
id: 530a6faa-ff3d-4022-b315-50828e77eef5
status: test
description: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used.
references:
- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-08-11
modified: 2025-02-24
tags:
- attack.persistence
logsource:
product: windows
service: system
detection:
selection_provider:
Provider_Name: 'Service Control Manager'
EventID: 7045
selection_service:
- ServiceName|contains|all:
- 'AnyDesk' # Covers both AnyDesk Service and AnyDesk MSI Service
- 'Service'
- ImagePath|contains: 'AnyDesk'
condition: all of selection_*
falsepositives:
- Legitimate usage of the anydesk tool
level: medium