AnyDesk Compromised – Automox [FIX]

<#
.SYNOPSIS
   This script will detect if a compromised certificate for AnyDesk client version < 8.0.8 exists on a device and provide the ability to delete any executable(s) that are signed with the cert.
.DESCRIPTION
    On February 2, 2024 AnyDesk Software GmbH announced that their production systems were compromised and that they are revoking code signing certificates prior to AnyDesk version 8.0.8
    This script will iterate through all certificates within the Windows Certificate Store and look for a match against the compromised AnyDesk certificate's serial number.
    If found, the certificate details will be output to your Automox Activity Log.
    It will then perform a recursive search through all .exe, .msi, and .ps1 files on the device's SystemDrive, looking for a signing match for the compromised serial number.
    In the script's default state, if an executable with a compromised certificate is found, it be reported to the console but it will NOT be deleted.
    To delete the executable, you MUST set the $removeExecutable parameter to $true in the Remediation Code.
    Note, the search for the compromised executable may take an extended period depending on the device's disk speed and file structure.
.PARAMETER $serialNumberToFind
	A `[ String ]` defining the serial number of the certificate and executable to search for.
.EXAMPLE
    $serialNumberToFind = "0DBF152DEAF0B981A8A938D53F769DB8"
        This is defaulted to the AnyDesk compromised certificate.
.PARAMETER $removeExecutable
	A `[ Boolean ]` defining if the compromised executable should be deleted from the device if found.
        This value is defaulted to $false, meaning the executable will remain on the device.
        If this value is set to $true, any matching executable that is found will be force deleted.
.EXAMPLE
    $removeExecutable = $false
        Detected executables will remain on the device.
.EXAMPLE
    $removeExecutable = $true
        Detected executables will be deleted.
.NOTES
    Additional Log output can be enabled by uncommenting $VerbosePreference.
    This script will not uninstall AnyDesk from a device!
    It is merely a tool for reporting against and acting on the compromised certificate and executables.
    HISTORY
        Name: Automox
        Date: 02/02/2024
        Version: 1.0.0
            - Initial Release.
.LINK
    https://www.automox.com/blog/anydesk-compromised-automox-fix/
#>

#########################################
# DEFINE PARAMETERS

# Define the serial number to search for
$serialNumberToFind = '0DBF152DEAF0B981A8A938D53F769DB8' # This is defaulted to the AnyDesk compromised certificate.

# Switch for removing the compromised executables
$removeExecutable = $false # Set to $true if the file(s) should be deleted.

#########################################
# DEFINE VERBOSITY PREFERENCE

# Uncommenting $VerbosePreference will expose additional script output
# This can be used for troubleshooting purposes
# $VerbosePreference = 'Continue'

#########################################
# PREDEFINED PARAMETERS

# Defining AnyDesk service & process
$appProc = 'AnyDesk'

# Defining the certificate stores and names to search in
$storeLocations = @('LocalMachine', 'CurrentUser')
$storeNames = @('My', 'Root', 'TrustedPublisher')

# Setting flag for certificate detection
$certificateFound = $false

#########################################
# DECLARING FUNCTIONS

function testBinarySignature {
    param (
        [ Parameter ( Position = 0, Mandatory = $true ) ]
        [ System.String ]$FilePath,

        [ Parameter ( Position = 1, Mandatory = $true ) ]
        [ System.String ] $SerialNumber
    )

    $signature = Get-AuthenticodeSignature -FilePath $FilePath
    if ( $null -ne $signature -and $null -ne $signature.SignerCertificate ) {
        return $signature.SignerCertificate.SerialNumber -eq $SerialNumber
    }
    return $false
}

#########################################

#--! Begin certificate search !--

Write-Verbose 'Searching the certificate store for serial number matches...'

# Iterate through store locations
foreach ( $storeLocation in $storeLocations ) {

    # Iterate through store names
    foreach ( $storeName in $storeNames ) {

        # Open the certificate store
        $store = New-Object System.Security.Cryptography.X509Certificates.X509Store( $storeName, $storeLocation )
        $store.Open( [ System.Security.Cryptography.X509Certificates.OpenFlags ]::ReadOnly )

        # Define search by serial number
        $certificates = $store.Certificates | Where-Object { $_.SerialNumber -eq $serialNumberToFind }

        # Iterate through certificates
        foreach ( $certificate in $certificates ) {

            # Set found flag to true
            $certificateFound = $true

            # Indicate that certificate match was found
            Write-Output 'A certificate match was found!'

            # Prepare the details for the certificate
            $certificateDetails = @{
                'Store'         = $storeName
                'Location'      = $storeLocation
                'Issuer'        = $certificate.Issuer
                'Serial Number' = $certificate.SerialNumber
                'Subject'       = $certificate.Subject
                'Thumbprint'    = $certificate.Thumbprint
            }

            # Output the certificate details
            $certificateDetails.GetEnumerator() | ForEach-Object {
                Write-Output "$( $_.Key ): $( $_.Value )"
            }

            # Close the store
            $store.Close()

            # If certificate found, break out of the inner loop
            if ( $certificateFound ) {
                break
            }
        }
    }

    # If certificate found, break out of the outer loop
    if ( $certificateFound ) {
        break
    }
}

# Indicate if certificate match was not found
if ( -not $certificateFound ) {
    Write-Output 'A certificate match was not found.'
}

#########################################

# --! Begin executable search !--

Write-Verbose 'Searching for compromised executables...'

# Search for .exe and .msi files starting from the root drive
$files = Get-ChildItem -Path "${env:SystemDrive}\" -Recurse -Include *.exe, *.msi, *.ps1 -ErrorAction SilentlyContinue

# Filter files by checking their signature
$matchingFiles = @()
foreach ( $file in $files ) {
    if ( testBinarySignature -FilePath $file.FullName -SerialNumber $serialNumberToFind ) {
        $matchingFiles += $file.FullName
    }
}

# Executable was found, attempt force delete
if ( $matchingFiles.Count -gt 0 ) {

    # Stop AnyDesk services & processes
    Write-Verbose 'Stopping AnyDesk services & processes'
    Stop-Service -Name $appProc -Force -ErrorAction SilentlyContinue
    Stop-Process -Name $appProc -Force -ErrorAction SilentlyContinue

    Write-Output 'Found compromised executable:'
    foreach ( $file in $matchingFiles ) {

        # Output the detected file(s)
        Write-Output "FOUND: $file"

        # If $removeExecutable switch is true, delete the file(s).
        if ( $removeExecutable ) {
            Write-Verbose 'The removeExecutable variable is set to true. Proceeding with file deletion...'
            try {
                Remove-Item -Path $file -Force -Recurse
                Write-Output "Successfully deleted: $file"
            }

            catch {
                Write-Error "Failed to delete: $file. Error: $_"
                exit 16
            }
        }

        # If $removeExecutable switch is false, indicate that the files will not be deleted.
        else {
            Write-Output 'The removeExecutable variable is set to false. The file will not be deleted.'
        }
    }
}

else {
    Write-Output 'No matching signed executables found. Device is compliant.'
    exit 0
}