Detection rules › Sigma
Suspicious Binary Writes Via AnyDesk
Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Command & Control | T1219.002 Remote Access Tools: Remote Desktop Software |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: selection
or:
Image|endswith: '\AnyDesk.exe'
Image|endswith: '\AnyDeskMSI.exe'
or:
TargetFilename|endswith: .dll
TargetFilename|endswith: .exe
Stage 2: not 1 of filter_dlls
TargetFilename|endswith: '\gcapi.dll'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
TargetFilename | ends_with |
|