2 posts tagged with "Anydesk"

When performing incident response, the adversary often uses legitimate remote access software as an interactive command and control channel. AnyDesk¹ is one of those software being extensively used as a sublayer of persistence by threat actors or access other servers in the environment via RDP². The latter has been often encountered in the wild in the past years as a preferred tool leveraged by known threat actors.

As such, Anydesk should be closely monitored as threat actors could easily alter or delete data after a successful attack; sometimes it is not possible to restore those altered logs. Defending against malicious actions with such remote software can be even more intricate for organizations having approved its legitimate usage. Here we propose to leverage memory forensics to retrieve and analyze artefacts thanks to a custom Volatility plugin that I made available as a free open-source tool for improving digital investigations.