← Back to Explore
sigmahighHunting
Suspicious Binary Writes Via AnyDesk
Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
Detection Query
selection:
Image|endswith:
- \AnyDesk.exe
- \AnyDeskMSI.exe
TargetFilename|endswith:
- .dll
- .exe
filter_dlls:
TargetFilename|endswith: \gcapi.dll
condition: selection and not 1 of filter_*
Author
Nasreddine Bencherchali (Nextron Systems)
Created
2022-09-28
Data Sources
windowsFile Events
Platforms
windows
References
Tags
attack.command-and-controlattack.t1219.002
Raw Content
title: Suspicious Binary Writes Via AnyDesk
id: 2d367498-5112-4ae5-a06a-96e7bc33a211
status: test
description: |
Detects AnyDesk writing binary files to disk other than "gcapi.dll".
According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll,
which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
references:
- https://redcanary.com/blog/misbehaving-rats/
- https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-28
modified: 2025-02-24
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith:
- '\AnyDesk.exe'
- '\AnyDeskMSI.exe'
TargetFilename|endswith:
- '.dll'
- '.exe'
filter_dlls:
TargetFilename|endswith: '\gcapi.dll'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: high