dissect.target.plugins.apps.remoteaccess.anydesk

Module Contents

Classes

AnydeskPlugin

Anydesk plugin.

class dissect.target.plugins.apps.remoteaccess.anydesk.AnydeskPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugins.apps.remoteaccess.remoteaccess.RemoteAccessPlugin

Anydesk plugin.

__namespace__ = 'anydesk'

Defines the plugin namespace.

SERVICE_GLOBS = ('sysvol/ProgramData/AnyDesk/*.trace', 'sysvol/ProgramData/AnyDesk/ad_*/*.trace',...

FILETRANSFER_SERVICE_LOGS = ('sysvol/ProgramData/AnyDesk/file_transfer_trace.txt',)

FILETRANSFER_USER_LOGS = ('AppData/Roaming/AnyDesk/file_transfer_trace.txt',)

USER_GLOBS = ('AppData/Roaming/AnyDesk/*.trace', 'AppData/Roaming/AnyDesk/ad_*/*.trace',...

RemoteAccessLogRecord

RemoteAccessFileTransferRecord

trace_files: set[tuple[dissect.target.helpers.fsutil.TargetPath, dissect.target.plugins.general.users.UserDetails | None]]

filetransfer_files: set[tuple[dissect.target.helpers.fsutil.TargetPath, dissect.target.plugins.general.users.UserDetails | None]]

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

logs() → collections.abc.Iterator[RemoteAccessLogRecord]

Parse AnyDesk trace files.

AnyDesk is a remote desktop application and can be used by adversaries to get (persistent) access to a machine. Log files (.trace files) can be stored on various locations, based on target OS and client type. Timestamps in trace files do not carry a time zone designator (TZD) but are in fact UTC.

References

• https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html

• https://support.anydesk.com/knowledge/trace-files#trace-file-locations

filetransfer() → collections.abc.Iterator[RemoteAccessFileTransferRecord]

Parse AnyDesk filetransfer files.

AnyDesk is a remote desktop application and can be used by adversaries to get (persistent) access to a machine. File transfer (file_transfer_trace.txt) files show what files are downloaded to a system. Timestamps in trace files do not carry a time zone designator (TZD) but are in fact UTC.