Forensic Analysis of AnyDesk Logs

Most threat actors during ransomware incidents utilise some type of remote access tools - one of them being AnyDesk. This is a free remote access tool that threat actors download onto hosts to access them easily and also for bidirectional file transfer. 

There are two locations for where AnyDesk logs are stored on the Windows file system:

  • %programdata%\AnyDesk\ad_svc.trace
  • %appdata%\Anydesk\ad.trace
The AnyDesk logs can be found under the appdata located within each users' directory where the tool has been installed.

Forensic analysis of these logs reveal interesting pieces of information inside the "ad.trace" log:
  • Remote IP where the actor connected from
  • File transfer activity

Locating the Remote IP Connecting to AnyDesk

Inside the "ad.trace" log you can grep for the following term "External address" and this should reveal the following line pasted below. I have redacted the IP for privacy's sake:

info 2021-02-04 23:25:10.500       lsvc   9988   6992    3                anynet.relay_conn - External address: 116.255.x.x:47220.

Locating File Transfer Activity

Similarly, inside the "ad.trace" logs under each users' %appdata% folder you should be grepping for the terms "files" and "app.prepare_task". This will reveal to you, from which folder the files are being copied from and also the number of files copied. In the screenshot below, 1 file was copied from the host to the remote host and it shows you the directory it was taken from:

anydesk log analysis


Comments

  1. Send Big2 June 2021 at 20:39

    Wow! Thank you! I constantly wanted to write on my site something like that. Can I take a portion of your post to my website? best Send large files free service provider.

    ReplyDelete

Post a Comment

Popular posts from this blog

Successful 4624 Anonymous Logons to Windows Server from External IPs?

Image
If you see successful 4624 event logs that look a little something like this in your Event Viewer showing an ANONYMOUS LOGON, an external IP (usually from Russia, Asia, USA, Ukraine) with an authentication package of NTLM, NTLMSSP, don't be alarmed - this is not an indication of a successful logon+access of your system even though it's logged as a 4624. If your server has RDP or SMB open publicly to the internet you may see a suite of these logs on your server's event viewer. Although these are showing up as Event ID 4624 (which generally correlates to successful logon events), these are NOT successful access to the system without a correlating Event ID 4624 showing up with an Account Name \\domain\username and a type 10 logon code for RDP or a type 3 for SMB. You can double check this by looking at 4625 events for a failure, within a similar time range to the logon event for confirmation. The reason for this is because when a user initiates an RDP or SMB c
Read more

A Guide to Cracking Steganography: Least Significant Bits and Basic Tools

Image
When it comes to cracking steganography – like other capture-the-flag challenges, there's a particular methodology you can follow. While there are a myriad of online decryption and encryption tools, the goal of this guide is to show you how to analyse files and learn how steganography works. In this guide, we're going to examine file compressions and least significant bits – the tools and the methodology you can follow. 1. File and Strings  First and foremost, when you get an image, the first step is to boot up your terminal and run 'file' in the command-line to examine the file. Given it's a png or a jpg image – take particular note of the size of the image and the colour depth of image – is it 8-bit or 16-bit? $ file photo.png For a passive overview of possible messages stored within the image, run the 'strings' command and see if there are any hidden text of interest. Sometimes, useful sentences can be configured within the file – I once
Read more