AnyDesk may be used by adversaries to exfiltrate data or deploy malicious payloads by writing binary files to disk, indicating potential command and control or persistence mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced threats leveraging AnyDesk for lateral movement or data extraction.
Detection Rule
title: Suspicious Binary Writes Via AnyDesk
id: 2d367498-5112-4ae5-a06a-96e7bc33a211
status: test
description: |
Detects AnyDesk writing binary files to disk other than "gcapi.dll".
According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,
which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
references:
- https://redcanary.com/blog/misbehaving-rats/
- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-28
modified: 2025-02-24
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\AnyDesk.exe'
- '\AnyDeskMSI.exe'
TargetFilename|endswith:
- '.dll'
- '.exe'
filter_dlls:
TargetFilename|endswith: '\gcapi.dll'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high
imFileEvent
| where ((TargetFilePath endswith "\\AnyDesk.exe" or TargetFilePath endswith "\\AnyDeskMSI.exe") and (TargetFileName endswith ".dll" or TargetFileName endswith ".exe")) and (not(TargetFileName endswith "\\gcapi.dll"))Scenario: System Update via AnyDesk
Description: A system administrator uses AnyDesk to remotely connect to a server and performs a system update, which involves writing temporary binary files to disk.
Filter/Exclusion: Exclude processes where the parent process is a known system update tool (e.g., wusa.exe, msiexec.exe) or where the file path matches a known temporary directory (e.g., C:\Windows\Temp).
Scenario: Scheduled Backup Job via AnyDesk
Description: A scheduled backup job is initiated remotely via AnyDesk, which writes binary files to a network share or local backup directory.
Filter/Exclusion: Exclude processes where the file path matches a known backup directory (e.g., D:\Backups\) or where the process is initiated by a scheduled task (e.g., schtasks.exe).
Scenario: Software Deployment via AnyDesk
Description: An IT admin uses AnyDesk to deploy software to multiple endpoints, which involves writing installation binaries to the local machine.
Filter/Exclusion: Exclude processes where the file path matches a known software deployment directory (e.g., C:\Deployment\) or where the process is initiated by a deployment tool (e.g., PDQDeploy.exe, Chocolatey.exe).
Scenario: Log File Generation via AnyDesk
Description: A remote session via AnyDesk generates log files (e.g., for debugging or auditing), which are written to the local disk.
Filter/Exclusion: Exclude processes where the file path matches a known log directory (e.g., C:\Logs\) or where the file extension is a known log format (e.g., .log, .txt).
Scenario: User-Initiated File Transfer via AnyDesk
Description: A user transfers files (