Anydesk snort suricata yara

1. rule Anydesk_bin
2. {
3. meta:
4. description = "Anydesk Remote Desktop"
5. author = "James_inthe_box"
6. reference = "https://app.any.run/tasks/350b9457-b888-45a2-b3ea-095de35fb3ad"
7. date = "2020/04"
8. maltype = "RAT"
9.  
10. strings:
11. $string1 = "Anydesk" fullword nocase ascii wide
12. $string2 = "service.conf" fullword nocase ascii wide
13. $string3 = "system.conf" fullword nocase ascii wide
14.  
15. condition:
16. uint16(0) == 0x5A4D and all of ($string*) and filesize < 800KB
17. }
18.  
19. rule Anydesk_mem
20. {
21. meta:
22. description = "Anydesk Remote Desktop"
23. author = "James_inthe_box"
24. reference = "https://app.any.run/tasks/350b9457-b888-45a2-b3ea-095de35fb3ad"
25. date = "2020/04"
26. maltype = "RAT"
27.  
28. strings:
29. $string1 = "Anydesk" fullword nocase ascii wide
30. $string2 = "service.conf" fullword nocase ascii wide
31. $string3 = "system.conf" fullword nocase ascii wide
32.  
33. condition:
34. all of ($string*) and filesize > 800KB
35. }
36.  
37.  
38. snort / suricata
39. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Anydesk User-Agent"; flow:established,to_server; content:"User-Agent|3a| Anydesk"; http_header; reference:md5,dbd72c9f5be0bd3f150111661917db67; classtype:trojan-activity; sid:20166321; rev:1; metadata:created_at 2020_04_09;)