AnyDesk Remote Access

AnyDesk is a popular remote access program which is often used by threat actors (and scammers) as either an entry point into an environment or to transfer tools between environments

AnyDesk was downloaded and executed, without installation on a Windows 10 instance as well as an Ubuntu 20.04 instance. A number of files were transferred from one party to another.

Windows File/Log Locations

➡️ C:\Users\username\AppData\Roaming\AnyDesk\ad.trace

This is where most of the information is kept. This is a verbose application runtime/connectivity log. From the short test conducted, I was able to identify the following snippets;

   info 2022-03-18 01:56:24.672      front   2428   7036 main - Process started at 2022-03-18. PID 2428. OS is Windows 10 (64 bit)```

🔴 Start time for the process (with corresponding PID). The time listed 18th March 2022 01:56:24.672 is in UTC, not the time of the local system.

  error 2022-03-18 01:56:28.622      front   2428   5044                    os_win.fs_sentinel - Failed to monitor 'C:\Users\Public\AccountPictures\S-1-5-21-4283608420-3620247853-3965221735-1001' (2).

I'm not sure why AnyDesk is querying this particular folder in the Public folder.. 

   info 2022-03-18 01:56:28.915       lsvc   6956   5212   12                base.proxy_finder - Skipping search. Next search in 59406 ms.
   info 2022-03-18 01:56:28.915       lsvc   6956   5212   12           anynet.relay_connector - Connecting to relay boot.net.anydesk.com (1/1)
   info 2022-03-18 01:56:28.915       lsvc   6956   5212   12           anynet.relay_connector - Skipping connect method connect_proxy_443 (1/6) (no proxy found)
   info 2022-03-18 01:56:28.915       lsvc   6956   5212   12           anynet.relay_connector - Skipping connect method connect_proxy_80 (2/6) (no proxy found)
   info 2022-03-18 01:56:28.915       lsvc   6956   5212   12           anynet.relay_connector - Skipping connect method socks_proxy_443 (3/6) (no proxy found)
   info 2022-03-18 01:56:28.915       lsvc   6956   5212   12           anynet.relay_connector - Using IPv4: 213.239.219.11

Connectivity to an AnyDesk relay (that external IP is not the IP of the instance)

   info 2022-03-18 02:00:19.971       lsvc   6180   4204    8           anynet.relay_connector - Connecting to relay relay-f292f5b5.net.anydesk.com (1/4)
   info 2022-03-18 02:00:19.971       lsvc   6180   4204    8           anynet.relay_connector - Skipping connect method connect_proxy_443 (1/6) (no proxy found)
   info 2022-03-18 02:00:19.971       lsvc   6180   4204    8           anynet.relay_connector - Skipping connect method connect_proxy_80 (2/6) (no proxy found)
   info 2022-03-18 02:00:19.971       lsvc   6180   4204    8           anynet.relay_connector - Skipping connect method socks_proxy_443 (3/6) (no proxy found)
   info 2022-03-18 02:00:20.036       lsvc   6180   4204    8           anynet.relay_connector - Using IPv4: 143.244.62.119

Connectivity to a relay (anynet.relayconnector relay-f292f5b5 matches the value for ad.anynet.networkrelay in system.conf)

Again, IPv4 value is for that of the relay, not my instance.

anynet.relay_conn = external address (is your public IPv4 address) anynet.main_relayconn = part of connected relay hostname (see above) anynet.connection_mgr = contains Client ID (this is the value presented to the user through the application interface and also required by those connecting remotely)

The following is generated in ad.trace after a successful connection & file transfer (The public IP has been replaced with remote.malicious.ip)

'Logged in from' is the IP address of the remote party.

From the remote terminal, I browsed the victim's files (file transfer is enabled by default). I could not access any system directories due to inappropriate permissions, however I was able to download several files the victim's Google Chrome profile directory.

However, I could not find any logs indicating which files were actually transferred (whether successfully or not). There is also no indication as to the file transfer size (which you could use to infer which file/s where transferred).

➡️ C:\Users\username\AppData\Roaming\AnyDesk\connection_trace.txt

This file is only generated after a connection is made (either accepted or rejected).

Incoming connection requests. Time is in UTC. Value (732092099) is the ID of the remote connector and the ID of the person who initiated the remote connection.

➡️ C:\Users\username\AppData\Roaming\AnyDesk\service.conf

Contains cert and private key for encrypted traffic

➡️ C:\Users\username\AppData\Roaming\AnyDesk\system.conf

Of interest here would be the ad.anynet.id value (which is the same as what is displayed in the user interface when it's executed), as well as the anynet.last_relay value (and ports used).

➡️ C:\Users\username\AppData\Roaming\AnyDesk\user.conf

Mostly values set for the user interface itself.

This value is set in user.conf after a successful connection. 732092099 is the ID of the remote party.

Linux File/Log Locations

TBA

References

https://support.anydesk.com/knowledge/trace-files

PreviousCompromised UniFi ControllerNextMounting UFS VMDK from NetScaler/Citrix ADC

Last updated