Skip to main content

2 posts tagged with "Anydesk"

View All Tags

๐Ÿ“ฆ Volatility3 Windows Plugin - AnyDesk

ยท 10 min read
k1nd0ne
Digital Forensics Spiderman

When performing incident response, the adversary often uses legitimate remote access software as an interactive command and control channel. AnyDesk1 is one of those software being extensively used as a sublayer of persistence by threat actors or access other servers in the environment via RDP2. The latter has been often encountered in the wild in the past years as a preferred tool leveraged by known threat actors.

As such, Anydesk should be closely monitored as threat actors could easily alter or delete data after a successful attack; sometimes it is not possible to restore those altered logs. Defending against malicious actions with such remote software can be even more intricate for organizations having approved its legitimate usage. Here we propose to leverage memory forensics to retrieve and analyze artefacts thanks to a custom Volatility plugin that I made available as a free open-source tool for improving digital investigations.

Footnotesโ€‹

  1. https://anydesk.com/en โ†ฉ

  2. https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ โ†ฉ