This detection rule targets the usage of AnyDesk, a popular legitimate remote desktop application, which adversaries might exploit to establish command-and-control (C2) capabilities in compromised networks. The rule checks for the presence of user configuration files, specifically 'user.conf' and 'system.conf', within the AnyDesk application data directories on Windows systems. Such use of legitimate software for malicious purposes is a tactic known as 'Living off the Land'. The detection criteria focus on the file events generated by AnyDesk configuration files which can signal unauthorized or anomalous remote access attempts. It's important to monitor these events closely given that legitimate remote access tools can be manipulated to facilitate adversarial actions. Potential false positives include legitimate administrative tasks where users may be authorized to utilize AnyDesk for support purposes. Regularly analyzing the context of these file accesses and correlating them with user behavior can help mitigate risks associated with false alarms.