Detectionhightest
Suspicious Binary Writes Via AnyDesk
Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Wed Sep 28Updated Mon Feb 242d367498-5112-4ae5-a06a-96e7bc33a211windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic2 selectors
detection:
selection:
Image|endswith:
- '\AnyDesk.exe'
- '\AnyDeskMSI.exe'
TargetFilename|endswith:
- '.dll'
- '.exe'
filter_dlls:
TargetFilename|endswith: '\gcapi.dll'
condition: selection and not 1 of filter_*False Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Other
attack.t1219.002
Rule Metadata
Rule ID
2d367498-5112-4ae5-a06a-96e7bc33a211
Status
test
Level
high
Type
Detection
Created
Wed Sep 28
Modified
Mon Feb 24
Path
rules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml
Raw Tags
attack.command-and-controlattack.t1219.002