Suspicious Binary Writes Via AnyDesk
Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
Sigma rule (View on GitHub)
1title: Suspicious Binary Writes Via AnyDesk
2id: 2d367498-5112-4ae5-a06a-96e7bc33a211
3status: test
4description: |
5 Detects AnyDesk writing binary files to disk other than "gcapi.dll".
6 According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,
7 which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
8references:
9 - https://redcanary.com/blog/misbehaving-rats/
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2022-09-28
12tags:
13 - attack.command-and-control
14 - attack.t1219
15logsource:
16 product: windows
17 category: file_event
18detection:
19 selection:
20 Image|endswith: '\anydesk.exe'
21 TargetFilename|endswith:
22 - '.dll'
23 - '.exe'
24 filter_dlls:
25 TargetFilename|endswith: '\gcapi.dll'
26 condition: selection and not 1 of filter_*
27falsepositives:
28 - Unknown
29level: high
References
-
Ransomware operators frequently abuse RATs like NetSupport, Remote Utilities, ScreenConnect, and Anydesk. Here's what to look out for.
Read More
Related rules
- Anydesk Temporary Artefact
- DNS Query To AzureWebsites.NET By Non-Browser Process
- GoToAssist Temporary Installation Artefact
- HackTool - Inveigh Execution Artefacts
- HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators