Attackers love dropping legitimate tools within your environment and during an incident, you’ll see many of them; if you’ve worked any common network intrusion incident or ransomware, you’ve probably come across the tool named “AnyDesk”. AnyDesk is a Remote Monitoring and Management (RMM) tool that Threat Actors (TA) love to abuse! Because it’s a legitimate tool, TAs will often drop this in your environment in an effort to stay undetected and avoid setting off endpoint tools. Let’s discuss what AnyDesk is, why TAs love to use it, and how to investigate artifacts associated with the tool. Let’s dive right in!
The Rundown
AnyDesk is a legitimate RMM tool that is often abused by attackers
TAs will often leverage AnyDesk for persistence or lateral movement
It's not uncommon to see a TA leverage numerous RMM tools aside from AnyDesk
You may often come across a TA using multiple RMM tools within a single victim environment
AnyDesk can be used to perform remote actions, such as interactive remote control, file transfers, unattended access, and much more
Custom installers of AnyDesk can be created
AnyDesk supports “Portable Mode”, which means it does not need to be installed on a system
As with other common executables, artifacts are generated when AnyDesk is installed/executed on a host. This includes artifacts such as Prefetch, UserAssist, SRUM, Jumplists, service install events, and more
AnyDesk generates a number of logs associated with connections
Various logs created can record information such as connecting IP addresses, usernames, session events such as copy/paste, file transfer, etc., the type of connection established, and more
Security Event Log logon types may show up as a “type 2” interactive logon when an AnyDesk logon is conducted
There! Now that I scared you by telling you that TAs are abusing tools that your admins probably use too (just like most other tools that TAs abuse), let’s dive into why attackers love to use this tool.
As I mentioned above, AnyDesk is a legitimate RMM tool. Depending on your organization, your admins might be using this tool to perform legitimate actions and assistance across your environment! Because of this, endpoint tools such as Anti-Virus, EDR, etc. will not block this tool by default. TAs also know that you’re likely not restricting certain applications from executing within your environment and probably aren’t managing a list of approved software. Therefore, how can you respond properly to something if you’re not even sure if it's an expected tool! This is why it's important to understand what's normal in your environment and create a baseline understanding!
To make things even better, AnyDesk supports forward and reverse-tunneling over TCP, so you may see remote actions being performed through AnyDesk over SSH! Note that as per AnyDesk, TCP-Tunneling features are dependent on SMB. The capabilities are nearly limitless, which is why it’s often a fan-favorite tool for attackers.
And… wait for it… wait…. IT’S FREE!
Many of us have probably come across AnyDesk in investigations, but have you ever used it? Its scary simple and quite frankly, has a clean interface! You literally download it (you don't need to create an account), and execute it on both your host and your target. You'll provide the identifier of the target on your host and BAM! You're connected!
Once executed, it’ll create its relay and attempt to connect back to the AnyDesk relay consistently, so long as it has a network connection of course.
Lets pull up our connection now! Once connected, you'll be presented with the screen of the target desktop! All ur bases are belong to us!
You’ll often see an attacker installing or pushing out AnyDesk shortly after gaining access using unattended access as a means of persistence. They’ll use the compromised host and its AnyDesk connection to gain access back into the environment. Remember, this is a remote interactive tool, so the attacker will be shown the desktop and be able to move the mouse once a connection is established. You’ll also see them installing AnyDesk across the environment as a means of lateral movement. Who needs RDP when they can remotely push the install agent using SMB, execute it and connect via their AnyDesk console! Classy!
Keep in mind that AnyDesk can be executed in "portable mode". This means that it doesn't need to be installed on the system and can run with just the executable.
I briefly mentioned in “The Rundown” section that it's not uncommon for a TA to install numerous RMM tools. Why is this? Well… think about it. If you’re not aware of what’s normal in your environment, you may miss other tools dropped by the TA. The attacker wants you to think that AnyDesk is the only tool they used; so once you perform remediation without properly scoping the entire incident, you may not realize that they also installed Splashtop and Atera (a story for another day).
With this said, you know we’re about to discuss the logs and artifacts! There are some nuances and “gotchas” when it comes to these, so I’ll do my best to mention these.
Note that the location of these logs will vary based on how AnyDesk is executed/installed.
AnyDesk Logs
The default location for AnyDesk "portable" will be within C:\Users\%username%\appdata\roaming\AnyDesk
The default location for logs once AnyDesk is installed is C:\Program Files (x86)\AnyDesk as well as C:\ProgramData\AnyDesk. You may also come across files within C:\Users\%Username%\Appdata\roaming\AnyDesk.
connection_trace.txt
These are critical logs that are very basic, yet important! These contain the successful connections established via AnyDesk. Note that if you see connections in other logs, such as network logs or ad.trace, but don't see an entry in connection_trace.txt, it's possible the session wasn't fully established. Here, you'll see the type of connection, timestamps, the type of authentication, and the AnyDesk connection IDs. Note that the field after the timestamps, in this case “User”, represents the authentication used. You may come across “User”, “Passwd”, “Token” and others. Note that in most instances, a TA is setting this up with unattended access, which means it will not require the end-user to accept the connection; In my experience, these represent the following -
User - The target system accepted the connection manually
Passwd - A password was used; often when unattended access is configured
Token - A session token was used
ad.trace
This log can be complicated, but that's only because it records a TON of activity; essentially, this log contains the majority of AnyDesk activity. This includes connections (failed or successful), file transfer events, clip board events, source IP addresses and more.
Notice the asterisks in this log? Indicated by "****". Well, these indicate different sessions. So each session will be seperated by these asterisks. Note that if you don’t see data above these asterisks, you may be looking at someone deleting log entries! Be sure to always validate that with other artifacts!
If you want to see the connecting IP address, look for something that references "logged in from" (thank you to Andrew M on LinkedIn for correcting this!).
Want to see File transfer events? There's an entry for that and numerous artifacts to show file transfers! Keep in mind that the interface for this is very simple and can allow a TA to upload and download files via a simple interface. Let's take a look at this below.
Once the file event is started, you'll see a log in ad.trace or ad.trace_svc. Notice that you can search for keywords such as "app.file_progress_hub" or "app.local_file_transfer"
There's even a dedicated file created that logs these events called "file_transfer_trace.txt"! This has the bytes of the transfer. Note that if this fails, you'll likely see the attempts here, but mismatched bytes at the end.
ad.trace_svc
This records similar activity to the ad.trace log file. However, you'll often see this one located in the default location of AnyDesk once its installed on the system rather than when its executed as a portable file. This is commonly within C:\ProgramData\AnyDesk. I won't go into to much detail here with this log, as it records similar activity to ad.trace.
Artifacts
Windows Event Logs
Of course when AnyDesk is installed, there are event logs to correlate this activity! You'll often see Service creation events once AnyDesk is installed. This is found within the System event log and correlates to Event ID 7045. Note that if you have verbose logging, such as Sysmon or Process Tracking/command line auditing, you'll likely see additional events here, but these are quick wins below!
You may also see that AnyDesk created firewall rules, as part of its installation and execution! Check out the Windows Defender Firewall Event log and you'll come across event IDs 2004 and 2006!
Artifacts of execution and program existence
You know we have to talk about artifacts here! I won't go into too much detail here, but keep in mind that execution of AnyDesk will create numerous Windows artifacts! Let's take a look at some examples below. Jumplists, Shimcache, BAM, oh my?! Note that if you see 'prokzult ad', that's an indicator of AnyDesk!
Want to look for potential exfil over AnyDesk and large bytes and don't have network logs? Look no further than SRUM!
You'll also see an Amcache entry too!
FileSystem Artifacts
Numerous files will be written to the filesystem, aside from the logs mentioned above, additional folders/files will be created too! I mentioned these above, so feel free to referenece that!
Thumbnails
Yep! AnyDesk has a Thumbnail folder as well! These are located within C:\Users\%username%\AppData\Roaming\AnyDesk\thumbnails and are essentially small image files that may get captured when a session is established.
Registry Artifacts
Don't forget to look for Registry artifacts! Aside from userassist and whatnot, AnyDesk will create a key within the SOFTWARE hive once its installed.
Network Logs
And of course, network logs. For example, look for references to Anydesk within firewall, netflow, DNS, proxy, and any other network based logs. This can also help identify additional requests referencing this tool!
Summary
Hopefully this helped make sense of how AnyDesk works, why TAs love to use it, and the artifacts that are created to help investigate AnyDesk abuse. As always, don't discredit other surrounding context of artifacts/events during your timeframe of interest and don't treat this writeup as an all-extensive list, but rather something to help with the quick wins! Remember, depending on the type of connection and how AnyDesk was setup, the log entries may vary; so don’t take this post as an all encompasing be-all, single pane of glass for all things AnyDesk, but rather some common things you may come across in investigations. Be sure to always check other artifacts to create that constellation!
TL;DR - Look for service creation events, log files within C:\Users\%username%\appdata\roaming\AnyDesk, C:\ProgramData and C:\Program Files (x86)\AnyDesk as well as registry entries and artifacts of execution/program knowledge.