Forensic Analysis of AnyDesk Logs

Most threat actors during ransomware incidents utilise some type of remote access tools - one of them being AnyDesk. This is a free remote access tool that threat actors download onto hosts to access them easily and also for bidirectional file transfer. 

There are two locations for where AnyDesk logs are stored on the Windows file system:

  • %programdata%\AnyDesk\ad_svc.trace
  • %appdata%\Anydesk\ad.trace
The AnyDesk logs can be found under the appdata located within each users' directory where the tool has been installed.

Forensic analysis of these logs reveal interesting pieces of information inside the "ad.trace" log:
  • Remote IP where the actor connected from
  • File transfer activity

Locating the Remote IP Connecting to AnyDesk

Inside the "ad.trace" log you can grep for the following term "External address" and this should reveal the following line pasted below. I have redacted the IP for privacy's sake:

info 2021-02-04 23:25:10.500       lsvc   9988   6992    3                anynet.relay_conn - External address: 116.255.x.x:47220.

Locating File Transfer Activity

Similarly, inside the "ad.trace" logs under each users' %appdata% folder you should be grepping for the terms "files" and "app.prepare_task". This will reveal to you, from which folder the files are being copied from and also the number of files copied. In the screenshot below, 1 file was copied from the host to the remote host and it shows you the directory it was taken from:

anydesk log analysis


Comments

Post a comment

Popular posts from this blog

Successful 4624 Anonymous Logons to Windows Server from External IPs?

Image
If you see successful 4624 event logs that look a little something like this in your Event Viewer showing an ANONYMOUS LOGON, an external IP (usually from Russia, Asia, USA, Ukraine) with an authentication package of NTLM, NTLMSSP, don't be alarmed - this is not an indication of a successful logon+access of your system even though it's logged as a 4624. If your server has RDP or SMB open publicly to the internet you may see a suite of these logs on your server's event viewer. Although these are showing up as Event ID 4624 (which generally correlates to successful logon events), these are NOT successful access to the system without a correlating Event ID 4624 showing up with an Account Name \\domain\username and a type 10 logon code for RDP or a type 3 for SMB. You can double check this by looking at 4625 events for a failure, within a similar time range to the logon event for confirmation. The reason for this is because when a user initiates an RDP or SMB c
Read more

A Guide to Cracking Steganography: Least Significant Bits and Basic Tools

Image
When it comes to cracking steganography – like other capture-the-flag challenges, there's a particular methodology you can follow. While there are a myriad of online decryption and encryption tools, the goal of this guide is to show you how to analyse files and learn how steganography works. In this guide, we're going to examine file compressions and least significant bits – the tools and the methodology you can follow. 1. File and Strings  First and foremost, when you get an image, the first step is to boot up your terminal and run 'file' in the command-line to examine the file. Given it's a png or a jpg image – take particular note of the size of the image and the colour depth of image – is it 8-bit or 16-bit? $ file photo.png For a passive overview of possible messages stored within the image, run the 'strings' command and see if there are any hidden text of interest. Sometimes, useful sentences can be configured within the file – I once
Read more

Reverse Engineering Guide on x86 Assembly: Part 1 Intro To Registers

Image
Learning x86 assembly is critical when you’re analysing malware, deconstructing executable files and developing your own exploits. However, before you’re able to embark on this journey, it’s crucial you’re familiar with C and compilation. What are registers?   A register is a storage space in the CPU that’s faster to access then RAM. All x86 CPUs have 8 general-purpose registers in total. They are generally 32-bits wide, however 16-bit versions are also accessible. Some registers have reserved purposes for the CPU and others don’t and are referred to as ‘general purpose’ registers. Introduction to the 8 Registers Here are the 8 registers with their register names (the acronym) and their meaning: E A X (extended accumulator register used for major calculations) E B X (extended base register used for storing data) E C X (extended counter register used as the universal loop counter) E D X (extended data register used for storing data related to the accu
Read more