Suspicious Binary Writes Via AnyDesk (2d367498-5112-4ae5-a06a-96e7bc33a211)
Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Remote Access Software - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) | Attack Pattern | Suspicious Binary Writes Via AnyDesk (2d367498-5112-4ae5-a06a-96e7bc33a211) | Sigma-Rules | 1 |