This detection rule identifies the execution of the remote access tool AnyDesk, which may indicate an adversary's attempt to establish a command and control channel within a network using legitimate software. Such tools, often perceived as beneficial for remote technical support, can easily be weaponized by threat actors to compromise and control target systems. The rule captures various artifacts including the image name, description, product, and company of AnyDesk to distinguish its executions from potentially legitimate use. The rule follows a 'process creation' log source strategy specifically for the Windows product, enhancing the detection of unauthorized remote access attempts. It is essential to monitor for AnyDesk activities, especially in environments where remote access tools are allowed through application controls, as attackers frequently exploit such permissions to deploy their strategies effectively.