NF – POLICY – AnyDesk – Replay domain lookup
A DNS reply from AnyDesk (remote control tool) was made from the internal network to the internet.
ID Number
5025152
Signature
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"NF - POLICY - AnyDesk - Replay domain lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; pcre:"/relay-[a-z0-9]{8}\x03net\x07anydesk\x03com/i"; reference:url,networkforensic.dk; metadata:25052019; classtype:policy-violation; sid:5025152; rev:2;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
It is recommended to limit remote control access, and to use internal tools to do it like RDP \ VNC, and make sure that the operating systems are updated