Forensic Analysis of AnyDesk Logs
Most threat actors during ransomware incidents utilise some type of remote access tools - one of them being AnyDesk. This is a free remote access tool that threat actors download onto hosts to access them easily and also for bidirectional file transfer.
There are two locations for where AnyDesk logs are stored on the Windows file system:
- %programdata%\AnyDesk\ad_svc.trace
- %appdata%\Anydesk\ad.trace
The AnyDesk logs can be found under the appdata located within each users' directory where the tool has been installed.
Forensic analysis of these logs reveal interesting pieces of information inside the "ad.trace" log:
Forensic analysis of these logs reveal interesting pieces of information inside the "ad.trace" log:
- Remote IP where the actor connected from
- File transfer activity
Locating the Remote IP Connecting to AnyDesk
Inside the "ad.trace" log you can grep for the following term "External address" and this should reveal the following line pasted below. I have redacted the IP for privacy's sake:
info 2021-02-04 23:25:10.500 lsvc 9988 6992 3 anynet.relay_conn - External address: 116.255.x.x:47220.
Locating File Transfer Activity
Similarly, inside the "ad.trace" logs under each users' %appdata% folder you should be grepping for the terms "files" and "app.prepare_task". This will reveal to you, from which folder the files are being copied from and also the number of files copied. In the screenshot below, 1 file was copied from the host to the remote host and it shows you the directory it was taken from:
Hello, while looking for analysis elements on AnyDesk I found your post and according to my own tests, the IP located at the line "External address" is in fact the IP of the target computer and not of the remote computer.
ReplyDeleteIt seems to me that the IP of the remote computer is on the "Logged in from" line.
Regards
The ip address we get is not the remote ip address, it is the ip address of the system from which logs are analysed.The "logged in from" line also is not able to provide remote external ip address. It just give internal ip address of remote system that was accessed
ReplyDeleteHi, Thanks for this post!
ReplyDeleteThe files you mentioned are deleted on my device (maybe they uninstalled it), but...
I also found that "connection_trace.txt" exists in "Appdata\Roaming\AnyDesk\". There I found something like:
Incoming YYY-MM-DD, HH:mm [Username] and a number with 9 characters.
I guess the number is a connection number associated with the AnyDesk connection number at that moment.
Maybe you can check if you have something simmilar and write something about it ;)
Greetings!
Hello, thanks for the pc analysis. Can I know the contents of mobile forensics?
ReplyDelete