NF – POLICY – AnyDesk Client – Outbound Connection – TLS client keyx
This alert is triggered when an AnyDesk client attempts an outbound connection over TLS (port 443). AnyDesk is a remote desktop application that a malicious actor may use to gain access or exfiltrate data from the network.
ID Number
5025151
Signature
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"NF - POLICY - AnyDesk Client - Outbound Connection - TLS client keyx"; ssl_state:client_keyx; content:"AnyDesk Client"; reference:url,networkforensic.dk; metadata:25052019; classtype:policy-violation; sid:5025151; rev:2;)
Severity
High
Recommendations/Investigative actions
Identify the device using AnyDesk and determine whether this connection is legitimate or potentially associated with unauthorized access attempts or data exfiltration.
Block unauthorized remote access tools