This detection rule identifies instances where the AnyDesk remote desktop application is invoked via command line tools such as cmd.exe or PowerShell.exe, as opposed to the typical GUI method used by most legitimate users. The rule specifically filters out installation commands to focus on possible misuse of the software, which has been associated with several threat actors including Alloy Taurus, Gallium, and others. By monitoring process execution, the rule helps in uncovering potential command-and-control activities that leverage remote access software for unauthorized access. This aligns with the MITRE ATT&CK technique T1219, relating to the use of remote access utilities by attackers. The detection logic is implemented using a Snowflake query on EDR Logs, examining recent events where AnyDesk is executed. Notably, this rule applies to a broad spectrum of threat actors, indicating a high relevance in the current cyber threat landscape.