Binaries Using Anydesk Compromised Certificate
Query
let Timeframe = 7d; // Choose the best timeframe for your investigation
let SuspiciousAnydeskFileCertificate = DeviceFileCertificateInfo
| where Timestamp > ago(Timeframe)
| where CertificateSerialNumber =~ "0dbf152deaf0b981a8a938d53f769db8" // Compromised Certificate Serial Number
| where Issuer == "DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1"
| project Timestamp, DeviceName, SHA1;
SuspiciousAnydeskFileCertificate
| join (DeviceProcessEvents
| where Timestamp > ago(Timeframe)
| where ProcessVersionInfoCompanyName !contains @"AnyDesk"
| project SHA1, ActionType, FileName, FolderPath, ProcessVersionInfoCompanyName, ProcessVersionInfoProductName, ProcessCommandLine, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine
)on SHA1
| sort by Timestamp descAbout this query
Binaries using AnyDesk Compromised Certificate
Description
The following query will hunt for binaries not related to AnyDesk, signed with a potentially compromised signing certificate of AnyDesk.
References
- https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-reset-passwords/
- https://github.com/Neo23x0/signature-base/blob/master/yara/gen_anydesk_compromised_cert_feb23.yar
Microsoft Defender XDR
MITRE ATT&CK Mapping
- Tactic: Credentials Access
- Technique ID: T1649
- Steal or Forge Authentication Certificates
Source
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 03/02/2024 | Initial publish |
Explanation
This query is used to identify binaries that are not related to AnyDesk but are signed with a potentially compromised signing certificate of AnyDesk. It looks for files with a specific compromised certificate serial number and a specific issuer. It then joins these files with device process events to gather additional information such as file names, folder paths, and process information. The results are sorted by timestamp. The query is useful for detecting potential unauthorized use of compromised certificates.
Details

Michalis Michalos
Released: February 3, 2024
Tables
DeviceFileCertificateInfoDeviceProcessEvents
Keywords
DevicesIntuneUserBinariesAnyDeskCompromised CertificateTimestampDeviceNameSHA1CertificateSerialNumberIssuerDigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1ProcessVersionInfoCompanyNameActionTypeFileNameFolderPathProcessVersionInfoProductNameProcessCommandLineAccountNameInitiatingProcessAccountNameInitiatingProcessFileNameInitiatingProcessCommandLineMITRE ATT&CKTacticTechnique IDSteal or Forge Authentication Certificates
Operators
|==~.containsjoinsort bywhereprojectlet
MITRE Techniques