Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- rule Anydesk_bin
- {
- meta:
- description = "Anydesk Remote Desktop"
- author = "James_inthe_box"
- reference = "https://app.any.run/tasks/350b9457-b888-45a2-b3ea-095de35fb3ad"
- date = "2020/04"
- maltype = "RAT"
- strings:
- $string1 = "Anydesk" fullword nocase ascii wide
- $string2 = "service.conf" fullword nocase ascii wide
- $string3 = "system.conf" fullword nocase ascii wide
- condition:
- uint16(0) == 0x5A4D and all of ($string*) and filesize < 800KB
- }
- rule Anydesk_mem
- {
- meta:
- description = "Anydesk Remote Desktop"
- author = "James_inthe_box"
- reference = "https://app.any.run/tasks/350b9457-b888-45a2-b3ea-095de35fb3ad"
- date = "2020/04"
- maltype = "RAT"
- strings:
- $string1 = "Anydesk" fullword nocase ascii wide
- $string2 = "service.conf" fullword nocase ascii wide
- $string3 = "system.conf" fullword nocase ascii wide
- condition:
- all of ($string*) and filesize > 800KB
- }
- snort / suricata
- alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Anydesk User-Agent"; flow:established,to_server; content:"User-Agent|3a| Anydesk"; http_header; reference:md5,dbd72c9f5be0bd3f150111661917db67; classtype:trojan-activity; sid:20166321; rev:1; metadata:created_at 2020_04_09;)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement