cyber-triage-logo

DFIR Next Steps: Suspicious AnyDesk Use

Welcome back to the next post in our DFIR Next Steps series on remote monitoring and management (RMM) tools. This post will focus on AnyDesk. 

Check out our previous posts in the series: 

Now, let’s analyze AnyDesk! 

Jump to…

AnyDesk Overview
AnyDesk Indicators of Existence
Exe Names
Config/Log Files
Folders
Domains
DFIR Next Steps: How to Investigate Suspicious AnyDesk Use
How to Investigate Suspicious AnyDesk Use with Cyber Triage
AnyDesk References

AnyDesk Overview

AnyDesk is a remote desktop application developed by AnyDesk Software GmbH. 

It enables platform-independent remote access across:

  • Windows
  • macOS
  • Linux
  • iOS
  • Android
  • And more

It has features like: 

  • VPN
  • REST API
  • File transfer
  • Session logs
  • Remote printing
  • Unattended access
  • And more

6Sense reports that AnyDesk has up to 10% of the remote support market share, second only to TeamViewer.

AnyDesk is significantly more straightforward in its fingerprint and its offerings compared to TeamViewer and LogMeIn. There is a single exe used for all scenarios (client, server, service) that is highly configurable. AnyDesk is also the only software product, but it has different licensing tiers that enable additional functionality in the product. 

Key features:

Feature Details
Simple and easy to deploy Single exe that’s highly configurable and can be installed using the exe.
Can run as single exe More likely to be used in tech support scam because it’s easy to download and deploy.
Can be installed More likely to be used in ransomware attacks for persistence.
Unattended access No user interaction is required on the remote system making stealthy remote access easy.
No account requirement AnyDesk does not require an account to be made to use its product. Although the capabilities are limited without a license.*
Flexible deployment Cloud and on-premises capabilities exist.
Note
*This differs from TeamViewer and LogMeIn. They both require an account to be associated with their software to initiate outgoing connections.

Examples of AnyDesk abuse:

  • DFIR Report: Ransomware group installed AnyDesk to maintain persistence.
  • CISA: Portable version of AnyDesk was abused by threat actors to maintain persistence to the system and carry out refund scams.
  • ThreatDown: Ransomware groups installed AnyDesk to maintain persistence and go undetected using “known” and “safe” RMM tools.
  • CyberSecurityNews: AnyDesk was used to maintain persistence, exfil data, and bring in additional malicious PowerShell payloads.

AnyDesk Indicators of Existence

This section provides a list of indicators you can use to identify AnyDesk activity on an endpoint.

Exe Names

AnyDesk.exe/AnyDesk*.exe
Description: AnyDesk uses a single exe for all of its functionality, but it’s highly configurable.
Known path(s): 

  • Portable version could be placed anywhere.
  • Default installed location:
    • C:\Program Files (x86)\AnyDesk 
    • C:\Program Files (x86)\AnyDesk* **
Notes: 

  • Custom exes can be made with embedded configuration options to control the settings enabled and how the application can be used. These custom exes will have different names and by default look like AnyDesk-ad_*. Ex: AnyDesk-ad_679ecc64
  • AnyDesk can be run from the command line, and its arguments are documented here
  • It’s best to check the PE header info to help identify renamed AnyDesk exes, since it’s the only exe needed to run. 
PE header info:

    • ProductName: AnyDesk
    • Legal Copyright: (C) 2025 AnyDesk Software GmbH
    • FileDescription: AnyDesk
    • CompanyName: AnyDesk Software GmbH
Note
**Custom-made exes and MSIs will have a different default installation path that includes an identifier. Ex: C:\Program Files (x86)\AnyDesk-ad_679ecc64

Config/Log Files

User.conf
Description: Contains user-specific configuration data for AnyDesk. Most of the AnyDesk settings that can be configured in the UI are stored here.
Known path(s):

  • C:\Users\*\AppData\Roaming\AnyDesk\ (portable)
  • C:\Users\*\AppData\Roaming\AnyDesk\ad_*\ (portable using custom exe)
Notes: 

  • File is created when AnyDesk starts up if it does not already exist. File creation timestamp can be used to indicate the first time AnyDesk was run by a user. 
  • Some notable entries:
    • ad.privacy.chat.path=C:\\\new_chat_log_folder: User-defined location for chat logs.
    • ad.recording.path=C:\\new_session_recording: User-defined location for session recordings.
    • ad.screen_recording.path=C:\\new_screen_recording: User-defined location for screen recordings.
    • ad.privacy.scrshot.path=C:\\\\new_screenshots: User-defined location for screenshots.
    • ad.account.recent_logged_in_user=someone@gmail.com: Email address linked to the AnyDesk instance.
    • Other line can show AnyDesk IDs that have been connected to in the past. Ex: ad.roster.items, ad.session.follow_remote_focus, ad.session.local_browser_start_path, and ad.session.remote_browser_start_path
Example:

UserConfig
System.conf
Description: Contains system-specific AnyDesk configuration information.
Known path(s):

  • C:\Users\*\AppData\Roaming\AnyDesk\ (portable)
  • C:\Users\*\AppData\Roaming\AnyDesk\ad_*\ (portable using custom exe)
  • %programdata%\AnyDesk\ (installed)
  • %programdata%\AnyDesk\ad_*\ (installed using custom exe/msi)
Notable entries:

  • ad.anynet.id=255675538: AnyDesk ID used to connect to the system.
  • ad.anynet.alias=test-test@ad: AnyDesk alias used to connect to the system.
Example:

SystemConfig
Connection_trace.txt
Description: Contains information about when incoming connections have been accepted/rejected and when outgoing invites were sent.
Known path(s):

  • C:\Users\*\AppData\Roaming\AnyDesk\ (portable)
  • C:\Users\*\AppData\Roaming\AnyDesk\ad_*\ (portable using custom exe)
  • %programdata%\AnyDesk\ (installed)
  • %programdata%\AnyDesk\ad_*\ (installed using custom exe/msi)
Notes:

  • Does not record failed attempts when using password-based access. The closest thing to a failed attempt is “REJECT,” which means the user on the remote system did not accept the connection when prompted.
  • Log fields:
  • 1st column: Direction, either incoming or outgoing. Note that outgoing is not really all outgoing connections, just when the invite feature is used.
  • 2nd column: Timestamp of event in UTC.
  • 3rd column: Authentication type: User, REJECTED, Password.
  • 4th column: Remote AnyDesk alias, if one is not defined, AnyDesk ID is used.
  • 5th column: Remote AnyDesk ID.
Example:

Connection trace
File_transfer_trace.txt
Description: Contains information about files uploaded or downloaded to the system. File is generated on both sides of the connection and is only created or updated when a file transfer occurs.
Known path(s):

  • C:\Users\*\AppData\Roaming\AnyDesk\ (portable)
  • C:\Users\*\AppData\Roaming\AnyDesk\ad_*\ (portable using custom exe)
  • %programdata%\AnyDesk\ (installed)
  • %programdata%\AnyDesk\ad_*\ (installed using custom exe/msi)
Notes: Log file only contains file names and not paths of files transferred.
Example:

File transfer
Ad.trace/Ad*.trace
Description: Contains detailed application-level logging for AnyDesk to allow application troubleshooting. Data isn’t structured like other log files, so it’s not as straightforward to use. It does, however, contain a lot of useful information like remote IPs, AnyDesk IDs, connection times, files transferred, etc.
Known path(s):

  • C:\Users\*\AppData\Roaming\AnyDesk\ (portable)
  • C:\Users\*\AppData\Roaming\AnyDesk\ad_*\ (portable using custom exe)
  • %programdata%\AnyDesk\ (installed)
  • %programdata%\AnyDesk\ad_*\ (installed using custom exe/msi)
Notes: Log file only contains file names and not the paths of files transferred.

Folders

AnyDesk Installation Folder
Description: Main folder where AnyDesk is installed. It contains a single file: AnyDesk exe.
Known path(s):

  • C:\program files (x86)\AnyDesk (standard installer)
  • C:\program files (x86)\AnyDesk-ad_*(custom installer)
Notes: Folder creation date can indicate when AnyDesk was installed.
AnyDesk Data Folder
Description: Main folder where AnyDesk configuration and logging files live.
Known path(s):

  • C:\Users\*\AppData\Roaming\AnyDesk\ (portable)
  • C:\Users\*\AppData\Roaming\AnyDesk\ad_*\ (portable using custom exe)
  • %programdata%\AnyDesk\ (installed)
  • %programdata%\AnyDesk\ad_*\ (installed using custom exe/msi)
Notes: Folder creation date can indicate the first time AnyDesk was run.
Example:AnyDesk Data Folder
Chat Log Folder
Description: Contains chat logs. Chat log file is created for each unique device that has chatted with the host. Name of chat file is the AnyDesk device ID.
Known path(s):

  • C:\Users\*\AppData\Roaming\AnyDesk\chat (portable)
  • C:\Users\*\AppData\Roaming\AnyDesk\ad_*\chat (portable using custom exe)
  • %programdata%\AnyDesk\chat (installed)
  • %programdata%\AnyDesk\ad_*\chat (installed using custom exe/msi)
Notes:

  • Default location can be changed via settings. The configured location is stored in user.conf.
  • Chat logs are only created/updated when the chat feature is used. As a result, it can provide insight into when some activity occurs. It is not reliable to identify when all connections are made.
  • Timestamps are stored in UTC.
  • Chat log will appear on both devices.
Example:Chat Logs
Session Recording Folder
Description: Contains session recordings for both incoming and outgoing sessions. This can be initiated manually during a session or configured to occur each time a session is started via settings.
Known path(s): C:\Users\*\Videos\AnyDesk
Notes:

  • Default location can be changed via settings. Configured location is stored in user.conf.
  • File name contains the direction of the session (incoming or outgoing), the AnyDesk ID of both systems, as well as the users from both systems. By default, the user names used are the Windows users running the app, but display names can be configured as well.
  • Folder is created when AnyDesk starts up if it does not already exist. Folder creation timestamp can indicate the first time AnyDesk was run by a user.
Examples:

  • Incoming User1 (1364343461)-User2 (245454558) 0.anydesk
  • Outgoing User1 (1364343461)-User2 (245454558) 0.anydesk
Screen Recording Folder
Description: Contains screen recordings performed locally from AnyDesk.
Known path(s): C:\Users\*\Videos\AnyDesk\screen recordings
Notes: Folder is created when AnyDesk starts up if it does not already exist. The folder creation timestamp can indicate the first time AnyDesk was run by a user.
Examples: screen_recording_20250904165730_0.anydesk
Screenshot Folder
Description: Contains screen shots taken during a remote session.
Known path(s): C:\Users\QA\Pictures\AnyDesk
Notes: Folder is created when AnyDesk starts up if it does not already exist. The folder creation timestamp can indicate the first time AnyDesk was run by a user.
Examples: anydesk00000.png

Domains

Subdomain https://download.anydesk.com/AnyDesk.exe
Details Default download link for AnyDesk.
Subdomain https://download.anydesk.com/AnyDesk-CM.exe
Details Download link to an AnyDesk configured to only receive connections.
Subdomain https://download.anydesk.com/AnyDesk-SM.exe
Details Download link to an AnyDesk configured to only initiate connections.
Subdomain https://my.anydesk.com/v2/api/v2/custom-clients/downloads/public/GIDDDDDDWHH1/file_name.exe
Details Public download link used to download custom-made AnyDesk exes. Anyone with the link can download.
Subdomain https://my.anydesk.com/v2/builds/download/952535/new%20file%20name.exe
Details Private download link to download custom-made AnyDesk exes. You need to log in to the associated account to be able to download. 
Subdomain relay-*.net.anydesk.com
Details Cloud infrastructure to download information and support remote connections. Ex: relay-c6eb91af.net.anydesk.com

DFIR Next Steps: How to Investigate Suspicious AnyDesk Use

The goal of this section is to provide some investigative questions that should be answered to help determine if the AnyDesk activity on the system is expected.

4 we’ll review: 

  1. Does the organization use AnyDesk?
  2. Is AnyDesk expected to be on the endpoint?
  3. What AnyDesk configuration is being used?
  4. Is the activity expected?

Now let’s dig into each: 

#1 Does the organization use AnyDesk?
Yes Go to question 2
No Unauthorized AnyDesk tool found and should most likely be removed. Proceed to question 4 to determine the impact. Ex: Did a threat actor bring it in, did a disgruntled IT administrator use it for nefarious activity, or was it an employee using it without bad intentions?
#2 Is AnyDesk expected to be on the endpoint?
Yes Go to question 3
No Unauthorized AnyDesk tool found and should most likely be removed. Proceed to question 4 to determine the impact. Ex: Did a threat actor bring it in, did a disgruntled IT administrator use it for nefarious activity, or was it an employee using it without bad intentions?
#3 What AnyDesk configuration is being used?
Determine if AnyDesk is being used as a standalone instance, installed instance, or both. Installed instances are more likely to be legit and common within an organization, while standalone is more common for personal use or remote support scenarios. If both are found that may be another red flag to further investigate.

Indicators to look for installed version:

  • Exe is in program files.
  • AnyDesk data directory is in %programdata%.
  • AnyDesk Windows service has been created.

Indicators to look for portable version:

  • Exe is running from downloads or some other place where installed programs are not.
  • AnyDesk data directory is in %appdata%.
#4 Is the activity expected?
There are a lot of subquestions that need to be answered to answer the bigger question of if the activity is expected.

Questions like:

  • Has AnyDesk been on the system for a long time, or is it new?
    • Check timestamps on AnyDesk data folder to get an idea when it was first ran.
  • Are the users associated with AnyDesk activity expected?
    • If a portable version has been used, then AnyDesk folder in %appdata% indicates the user has at least opened the app before.
    • Search ad_*.trace to get potential insight on remote users for incoming connections.
    • Search process execution history like Security.evtx 4688 for users that executed AnyDesk.exe.
  • Are there new or suspicious outgoing connections from the device in question?
    • Parse connection_trace.txt to get insight into outgoing invites sent.
    • Parse ad_*.trace to get insight into outgoing connections.
      • Search for “Sending a connection request for address”
  • Are there new or suspicious incoming connections to the device in question?
    • Parse connection_trace.txt to get insight into incoming connections.
    • Parse ad_*.trace to get insight into outgoing connections.
      • Search for “Incoming session request.”
  • Is there other suspicious activity that happened before?
    • Check the device timeline to see if other suspicious activity happened before AnyDesk was brought onto the system.
  • Is there other suspicious activity that happened after?
    • Check the device timeline to see if other suspicious activity happened after AnyDesk connections were made.
    • Check AnyDesk file transfer log to see what files were uploaded and downloaded.

How to Investigate Suspicious AnyDesk Use with Cyber Triage

Cyber Triage can be used to find RMM tools like AnyDesk on systems without the need for analysts or responders to remember all of the various file names, folder paths, web artifacts, log files, or registry keys. That detection logic is built into Cyber Triage to automate this process so defenders can spend more time determining if the RMM tool activity is expected or not. 

Cyber Triage will:

  • Automatically collect AnyDesk-specific log and configurations files.
  • Automatically detect AnyDesk indicators of existence on the system (along with over 40 other RMM products).
  • Automatically provide insight into how long AnyDesk has been on the system based on the various indicators of existence previously mentioned. For example, you’ll be able to tell what the earliest and latest activity related to AnyDesk.

From there, analysts can follow the next steps outlined above to determine if the activity is expected or not. 

We have had engagements where Cyber Triage has flagged 3 or 4 different tools on a single endpoint. Even if these are not a result of malicious activity, it can help to root out poor security practices and act as a preventative measure to better secure access to such devices. 

CT flag AnyDesk
Example of Cyber Triage detecting AnyDesk activity new to a system.

If you’d like to try Cyber Triage on an RMM investigation — or just to see if it speeds up your process in general — you can free for 7 days.  

AnyDesk References

Blog