Query Details

Binaries Using Anydesk Compromised Certificate

Query

let Timeframe = 7d; // Choose the best timeframe for your investigation
let SuspiciousAnydeskFileCertificate = DeviceFileCertificateInfo
    | where Timestamp > ago(Timeframe)
    | where CertificateSerialNumber =~ "0dbf152deaf0b981a8a938d53f769db8" // Compromised Certificate Serial Number
    | where Issuer == "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
    | project Timestamp, DeviceName, SHA1;
SuspiciousAnydeskFileCertificate
    | join (DeviceProcessEvents
    | where Timestamp > ago(Timeframe)
    | where ProcessVersionInfoCompanyName !contains @"AnyDesk"
    | project SHA1, ActionType, FileName, FolderPath, ProcessVersionInfoCompanyName, ProcessVersionInfoProductName, ProcessCommandLine, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
    )on SHA1
    | sort by Timestamp desc

About this query

Binaries using AnyDesk Compromised Certificate

Description

The following query will hunt for binaries not related to AnyDesk, signed with a potentially compromised signing certificate of AnyDesk.

References

Microsoft Defender XDR

MITRE ATT&CK Mapping

Source

Versioning

VersionDateComments
1.003/02/2024Initial publish

Explanation

This query is used to identify binaries that are not related to AnyDesk but are signed with a potentially compromised signing certificate of AnyDesk. It looks for files with a specific compromised certificate serial number and a specific issuer. It then joins these files with device process events to gather additional information such as file names, folder paths, and process information. The results are sorted by timestamp. The query is useful for detecting potential unauthorized use of compromised certificates.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: February 3, 2024

Tables

DeviceFileCertificateInfoDeviceProcessEvents

Keywords

DevicesIntuneUserBinariesAnyDeskCompromised CertificateTimestampDeviceNameSHA1CertificateSerialNumberIssuerDigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1ProcessVersionInfoCompanyNameActionTypeFileNameFolderPathProcessVersionInfoProductNameProcessCommandLineAccountNameInitiatingProcessAccountNameInitiatingProcessFileNameInitiatingProcessCommandLineMITRE ATT&CKTacticTechnique IDSteal or Forge Authentication Certificates

Operators

|==~.containsjoinsort bywhereprojectlet

MITRE Techniques

Actions

GitHub