AnyDesk Forensics | AnyDesk Log Analysis
In this blogpost we will cover AnyDesk forensics and go over the AnyDesk logs from an Incident Response perspective. From these logs we can determine a number of details about the AnyDesk session - the IP address of the system that connected, details about that system, and information regarding if data was potentially exfiltrated from your environment.
First off I would like to give credit to Lina Lau (@inversecos on Twitter) for her AnyDesk forensics research that led to my understanding of these logs and helped me with my own testing and research. I’ll put a link at the bottom so everyone can go check out her blog posts!
Step One: Obtain the AnyDesk Logs
The first step into an investigation of AnyDesk usage is to obtain the important log files for analysis. If we message an end user and ask them anything about AnyDesk they may try to be helpful and immediately uninstall or delete AnyDesk, which can delete these logs.
For this reason, we want to grab these before anything else. The important AnyDesk logs can be found at the following locations:
C:\Users\%username%\AppData\Roaming\AnyDesk\ad.trace
C:\Users\%username%\AppData\Roaming\AnyDesk\connection_trace.txt
C:\ProgramData\AnyDesk\ad_svc.trace
C:\ProgramData\AnyDesk\connection_trace.txt
Step Two: Review the Connection Logs to Determine Timestamps of AnyDesk Connections
The connection_trace.txt log(s) are easy to read and contain some barebones information about successful AnyDesk connections. Here is an example log entry where I have changed some information (AnyDesk Connection ID) for demonstration purposes.
Incoming 2022–08–23, 23:19 User 462253849 462253849
The fields are as follows (connection type, timestamp, (?)unknown, AnyDesk Connection ID, AnyDesk Connection ID), and the timestamp is in UTC. This log entry shows there has been a successful inbound AnyDesk connection on 2022–08–23 23:19 UTC from AnyDesk Connection ID 462253849. We will find much more detailed information with the next set of logs.
Step Three: Grep the trace logs for specific keywords
Now we can take our ad.trace and our ad_svc.trace files and grep for specific keywords (again if you don’t have an ad_svc.trace file that is okay). There is a lot of error messages that occur in the logs despite there being a successful connection, so I have found this technique of grepping the logs to be a good first step to understanding the AnyDesk session details easier.
PowerShell:
get-content .\ad.trace | select-string -list ‘Remote OS’, ‘Incoming session’, ‘app.prepare_task’, ‘anynet.relay’, ‘anynet.any_socket’, ‘files’, ‘text offers’
get-content .\ad_svc.trace | select-string -list ‘Remote OS’, ‘Incoming session’, ‘app.prepare_task’, ‘anynet.relay’, ‘anynet.any_socket’, ‘files’, ‘text offers’
We are using this to grep for successful connections and metadata associated with them, as well as any file copy events or clipboard text copying events.
Step Four: Locating the Remote IP Connecting to AnyDesk
We will review the output we generated from grepping the ad.trace and ad_svc.trace log files, or we can just Ctrl+F to look for the string “Logged in from”. This will give the remote IP connecting to AnyDesk. As AnyDesk connects directly to AnyDesk IP addresses — the only place we can figure out the remote IP connecting to AnyDesk is from this log entry. I have changed some details in this log entry for demonstration purposes (the IP address has been changed to one that I have made up).
info 2022–08–24 00:11:24.676 lsvc 2324 2328 20 anynet.any_socket — Logged in from 107.152.37.7:3460 on relay 30eb2fb5.
We can see above from my testing that the remote IP is 107.152.37.7 which is geolocated to Illinois owned by ServerCheap, yikes! Some good websites for WHOIS and IP address geolocation are CentralOps.net and Geolocation.com.
Step Five: Locating Information about the Connecting System
We go back to reviewing the same output that we grepped from the ad.trace or ad_svc.trace log to find details about the system that connected.
Here you can see with this log entry that the connecting system has a username of gh0st on the computer they connected to us from. Spooky!
info 2022–08–24 00:11:25.627 back 2472 2496 app.backend_session — Incoming session request: gh0st (462253849)
In this next line you can see details about the Operating System, which is Windows OS.
info 2022–08–24 00:11:25.635 back 2472 2496 app.backend_session — Remote OS: Windows, Connection flags: direct paid 3
Step Six: Determine If Data Was Exfiltrated During the AnyDesk Session
An adversary can copy and paste files from the system, or they can copy and paste text. These show up in a unique way in the logs. The following is indicative of copying files from the affected system. The operative words here that indicate file copy are “files” and “offer”, as you can see below:
info 2022–08–24 00:11:50.984 lctrl 2332 2336 clipbrd.capture — Found 1 files
info 2022–08–24 00:12:00.433 lctrl 2332 2372 app.ctrl_clip_comp — Got a request to list files in offer 124069b6c4bc3b44.
info 2022–08–24 00:12:00.435 lctrl 2332 2372 app.ft_src_session — Starting to iterate files from offer 124069b6c4bc3b44.
info 2022–08–24 00:12:15.029 lctrl 2332 2336 clipbrd.capture — Found 1 files
info 2022–08–24 00:12:30.458 lsvc 2324 2328 20 anynet.any_socket — Direct connection closed (result_unknown).
info 2022–08–24 00:12:35.305 lctrl 2332 2372 app.ctrl_clip_comp — Got a request to list files in offer 57fbbb503ebf15c8.
info 2022–08–24 00:12:35.308 lctrl 2332 2372 app.ft_src_session — Starting to iterate files from offer 57fbbb503ebf15c8.
info 2022–08–24 00:13:11.204 lctrl 2332 2336 clipbrd.capture — Found 1 files
info 2022–08–24 00:13:11.302 lctrl 2332 2336 clipbrd.capture — Found 1 files
info 2022–08–24 00:13:30.264 lctrl 2332 2336 clipbrd.capture — Found 1 files
info 2022–08–24 00:13:34.178 lctrl 2332 2372 app.ctrl_clip_comp — Got a request to list files in offer 57eec41496da6369.
info 2022–08–24 00:13:34.181 lctrl 2332 2372 app.ft_src_session — Starting to iterate files from offer 57eec41496da6369.
You may get some more detailed information such as filepath of the copied files, but in this case and in my testing, I did not get filepaths. For more information on what that would look like please check out Lina Lau’s blog on AnyDesk forensics.
Here in the next line you can see indication of copying text from the system. An attacker can copy base64 copies of executables, entire text files such as sensitive data, ssh keys, etc from your system this way. This is what it looks like in the logs below:
info 2022–08–23 23:20:16.707 lctrl 2244 2248 clipbrd.capture — Relaying text offers.
Step Seven: Was This a Malicious Event or a Squirrely End User?
There is a lot of data that will go into answering this question if you are reviewing an AnyDesk alert and have collected all this data above. We will need a bit more information to make a good determination.
A great piece of information will be to collect the Sysmon Operational event log and the Security event log to determine the command-line parameters of AnyDesk, timestamps, and surrounding activity.
The location of these files to collect are:
C:\Windows\System32\winevt\Logs\Security.evtx
C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx
I recommend using Nirsoft FullEventLogView to review these event logs, but you can use the log viewer of your choice or just double click them to open in Windows Event Viewer. We can get the command-line information from Sysmon Event ID 1, or Security Event ID 4688 (as long as detailed process logging is turned on in your environment). Any event log viewing application will give you the ability to filter by these specific event IDs.
For some information on what we are looking for, lets first look at how AnyDesk is installed when an adversary has remote access from command-line, such as Qbot, DCRat, Meterpreter, Cobalt Strike, etc. There was a manual for Conti Ransomware group that was leaked that gives insight into how AnyDesk can be installed silently with a password for remote access. This type of persistence using AnyDesk with silent install allows the threat actors to have a legitimate application that will not be flagged by EDR/XDR/AV and will not alert the user that someone is connecting to their machine.
Here PowerShell and cmd are used to automate the installation of AnyDesk - thanks to Cyble for the information! See link below for the resource this was copied from, as it gives a ton of great information about the Conti leaks
These commands are indicative of an adversary installing AnyDesk for persistence. Knowing what this looks like can be very helpful when looking at the Sysmon Operation event log or the Security event log when investigating AnyDesk activity.
If we see something that is more indicative of a user launching AnyDesk manually (process parent is Explorer.exe and process command-line has no extra command options for silent install) then we know we likely either have a squirrely end user trying to do something weird (like connect to their system with their cell phone), or it could very well be an adversary with GUI access to the system (such as VPN, RDP, VNC, another remote access tool, or a RAT that allows for hidden desktop [hVNC]) and they are attempting to use AnyDesk for persistence and do not need a script to install it.
If we decide to contact the end user for context about the AnyDesk usage if it looks relatively benign, we can now have some key information ready that will help them answer our questions - to see if they are familiar and if they can provide some context around the activity.
Details we have with these logs now: Remote IP with ISP and geolocation approximation, remote system’s username, remote OS metadata, proof of successful connections with IP address, and timestamps from the connection(s).
Thank you for reading this blog, I hope it was helpful to someone! I hope to produce some more content like this so if you enjoy please subscribe!
Note: You may notice that you have files in the %appdata% directory but not the C:\ProgramData directory, or vise versa. This is normal and it is caused by how AnyDesk was ran. (If it is installed, then it will run as a service, and you will get the log files in C:\ProgramData. If it was run as a portable executable for one-time usage then you will have your files in the %appdata% directories).
As promised, here is a link to Lina Lau’s blog (@inversecos) for some great content: https://www.inversecos.com/
Lastly, here is a link to some details about the Conti leaks: Cyble — Conti Secrets Hacker’s Handbook Leaked
