← Library
sigmaDRL-1.1from SigmaHQ/sigma

Suspicious Binary Writes Via AnyDesk

Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)

Quality
90
FP risk
Forks
0
Views
0
ATT&CK techniques
T1219.002
Rule sourcerules/windows/file/file_event/file_event_win_anydesk_writing_susp_binaries.yml
title: Suspicious Binary Writes Via AnyDesk
id: 2d367498-5112-4ae5-a06a-96e7bc33a211
status: test
description: |
    Detects AnyDesk writing binary files to disk other than "gcapi.dll".
    According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,
    which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
references:
    - https://redcanary.com/blog/misbehaving-rats/
    - https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-28
modified: 2025-02-24
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith:
            - '\AnyDesk.exe'
            - '\AnyDeskMSI.exe'
        TargetFilename|endswith:
            - '.dll'
            - '.exe'
    filter_dlls:
        TargetFilename|endswith: '\gcapi.dll'
    condition: selection and not 1 of filter_*
falsepositives:
    - Unknown
level: high