Update (02/05/2024)
An Automox Worklet™ is now available to search for and remediate .exe, .ps1, and .msi packages signed with the compromised AnyDesk certificate on Windows endpoints.
The publicly available PowerShell script has also been updated to include scanning .ps1 files.
AnyDesk Compromised – How to Mitigate
AnyDesk Software GmbH recently announced their production systems were compromised and that they are revoking code signing certificates prior to AnyDesk Windows version 8.0.8. As a best practice, whenever a code signing certificate is compromised, any executable in your environment signed with that certificate should be identified and removed immediately.
This advice applies regardless of whether you are an AnyDesk customer – everyone should regularly detect and remove software signed with the compromised certificate until you have confirmed the relevant certificate revocation is in effect within your environment. Because the potential scope is so broad, we are making our fix freely available to the public.
Automox supports automated patching of AnyDesk, so we recommend checking your patch policies and implementing the latest AnyDesk patches immediately.
We also recommend running the following scripts after patching to ensure no other executables in your environment are signed with the same certificate. These recommendations apply to everyone, regardless of whether you are an Automox customer or not (yet).
Mitigate AnyDesk Certificate Vulnerability Script
How it Works
Automox has developed a publicly available PowerShell script that identifies and reports on the presence of the compromised AnyDesk certificate on Windows devices. It operates by searching the Windows certificate store, for both the system and users, to locate any certificates with a serial number that matches AnyDesk’s compromised certificate. If such a match is discovered, details about the software will be provided.
Subsequent to the certificate check, it conducts a thorough search across the system's drive for any .ps1, .exe, or .msi files signed with the compromised serial number, reporting found files but only removing them if explicitly instructed to do so through the $removeExecutable
parameter.
Mitigation Script
<#
.SYNOPSIS
This script will detect if a compromised certificate for AnyDesk client version < 8.0.8 exists on a device and provide the ability to delete any executable(s) that are signed with the cert.
.DESCRIPTION
On February 2, 2024 AnyDesk Software GmbH announced that their production systems were compromised and that they are revoking code signing certificates prior to AnyDesk version 8.0.8
This script will iterate through all certificates within the Windows Certificate Store and look for a match against the compromised AnyDesk certificate's serial number.
If found, the certificate details will be output to your Automox Activity Log.
It will then perform a recursive search through all .exe, .msi, and .ps1 files on the device's SystemDrive, looking for a signing match for the compromised serial number.
In the script's default state, if an executable with a compromised certificate is found, it be reported to the console but it will NOT be deleted.
To delete the executable, you MUST set the $removeExecutable parameter to $true in the Remediation Code.
Note, the search for the compromised executable may take an extended period depending on the device's disk speed and file structure.
.PARAMETER $serialNumberToFind
A `[ String ]` defining the serial number of the certificate and executable to search for.
.EXAMPLE
$serialNumberToFind = "0DBF152DEAF0B981A8A938D53F769DB8"
This is defaulted to the AnyDesk compromised certificate.
.PARAMETER $removeExecutable
A `[ Boolean ]` defining if the compromised executable should be deleted from the device if found.
This value is defaulted to $false, meaning the executable will remain on the device.
If this value is set to $true, any matching executable that is found will be force deleted.
.EXAMPLE
$removeExecutable = $false
Detected executables will remain on the device.
.EXAMPLE
$removeExecutable = $true
Detected executables will be deleted.
.NOTES
Additional Log output can be enabled by uncommenting $VerbosePreference.
This script will not uninstall AnyDesk from a device!
It is merely a tool for reporting against and acting on the compromised certificate and executables.
HISTORY
Name: Automox
Date: 02/02/2024
Version: 1.0.0
- Initial Release.
.LINK
https://www.automox.com/blog/anydesk-compromised-automox-fix/
#>
#########################################
# DEFINE PARAMETERS
# Define the serial number to search for
$serialNumberToFind = '0DBF152DEAF0B981A8A938D53F769DB8' # This is defaulted to the AnyDesk compromised certificate.
# Switch for removing the compromised executables
$removeExecutable = $false # Set to $true if the file(s) should be deleted.
#########################################
# DEFINE VERBOSITY PREFERENCE
# Uncommenting $VerbosePreference will expose additional script output
# This can be used for troubleshooting purposes
# $VerbosePreference = 'Continue'
#########################################
# PREDEFINED PARAMETERS
# Defining AnyDesk service & process
$appProc = 'AnyDesk'
# Defining the certificate stores and names to search in
$storeLocations = @('LocalMachine', 'CurrentUser')
$storeNames = @('My', 'Root', 'TrustedPublisher')
# Setting flag for certificate detection
$certificateFound = $false
#########################################
# DECLARING FUNCTIONS
function testBinarySignature {
param (
[ Parameter ( Position = 0, Mandatory = $true ) ]
[ System.String ]$FilePath,
[ Parameter ( Position = 1, Mandatory = $true ) ]
[ System.String ] $SerialNumber
)
$signature = Get-AuthenticodeSignature -FilePath $FilePath
if ( $null -ne $signature -and $null -ne $signature.SignerCertificate ) {
return $signature.SignerCertificate.SerialNumber -eq $SerialNumber
}
return $false
}
#########################################
#--! Begin certificate search !--
Write-Verbose 'Searching the certificate store for serial number matches...'
# Iterate through store locations
foreach ( $storeLocation in $storeLocations ) {
# Iterate through store names
foreach ( $storeName in $storeNames ) {
# Open the certificate store
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store( $storeName, $storeLocation )
$store.Open( [ System.Security.Cryptography.X509Certificates.OpenFlags ]::ReadOnly )
# Define search by serial number
$certificates = $store.Certificates | Where-Object { $_.SerialNumber -eq $serialNumberToFind }
# Iterate through certificates
foreach ( $certificate in $certificates ) {
# Set found flag to true
$certificateFound = $true
# Indicate that certificate match was found
Write-Output 'A certificate match was found!'
# Prepare the details for the certificate
$certificateDetails = @{
'Store' = $storeName
'Location' = $storeLocation
'Issuer' = $certificate.Issuer
'Serial Number' = $certificate.SerialNumber
'Subject' = $certificate.Subject
'Thumbprint' = $certificate.Thumbprint
}
# Output the certificate details
$certificateDetails.GetEnumerator() | ForEach-Object {
Write-Output "$( $_.Key ): $( $_.Value )"
}
# Close the store
$store.Close()
# If certificate found, break out of the inner loop
if ( $certificateFound ) {
break
}
}
}
# If certificate found, break out of the outer loop
if ( $certificateFound ) {
break
}
}
# Indicate if certificate match was not found
if ( -not $certificateFound ) {
Write-Output 'A certificate match was not found.'
}
#########################################
# --! Begin executable search !--
Write-Verbose 'Searching for compromised executables...'
# Search for .exe and .msi files starting from the root drive
$files = Get-ChildItem -Path "${env:SystemDrive}\" -Recurse -Include *.exe, *.msi, *.ps1 -ErrorAction SilentlyContinue
# Filter files by checking their signature
$matchingFiles = @()
foreach ( $file in $files ) {
if ( testBinarySignature -FilePath $file.FullName -SerialNumber $serialNumberToFind ) {
$matchingFiles += $file.FullName
}
}
# Executable was found, attempt force delete
if ( $matchingFiles.Count -gt 0 ) {
# Stop AnyDesk services & processes
Write-Verbose 'Stopping AnyDesk services & processes'
Stop-Service -Name $appProc -Force -ErrorAction SilentlyContinue
Stop-Process -Name $appProc -Force -ErrorAction SilentlyContinue
Write-Output 'Found compromised executable:'
foreach ( $file in $matchingFiles ) {
# Output the detected file(s)
Write-Output "FOUND: $file"
# If $removeExecutable switch is true, delete the file(s).
if ( $removeExecutable ) {
Write-Verbose 'The removeExecutable variable is set to true. Proceeding with file deletion...'
try {
Remove-Item -Path $file -Force -Recurse
Write-Output "Successfully deleted: $file"
}
catch {
Write-Error "Failed to delete: $file. Error: $_"
exit 16
}
}
# If $removeExecutable switch is false, indicate that the files will not be deleted.
else {
Write-Output 'The removeExecutable variable is set to false. The file will not be deleted.'
}
}
}
else {
Write-Output 'No matching signed executables found. Device is compliant.'
exit 0
}
YARA Rule
If you’re having difficulty finding the version of AnyDesk you’re currently running, this YARA rule can help detect if the invalidated certificate is being used.
Stay secure, stay ahead.
Start your free trial now.
Get started with Automox in no time.
By submitting this form you agree to our Master Services Agreement and Privacy Policy