Windows - Security - Mitigate AnyDesk Certificate Vulnerability Worklet

Powershell-based Windows - Security - Mitigate AnyDesk Certificate Vulnerability Worklet

The PowerShell-based Mitigate AnyDesk Certificate Vulnerability Worklet is designed to identify any software signed with the AnyDesk compromised code certificate. Because a code signing certificate was stolen, this is a risk to everyone – not just AnyDesk customers.

This Worklet ensures that any .ps1, .exe, or .msi files on the system's disk signed with the compromised certificate are flagged or removed, based on the options within the Worklet.

Why use the Mitigate AnyDesk Certificate Vulnerability Worklet?

Utilizing the Mitigate AnyDesk Certificate Vulnerability Worklet is imperative for organizations to conduct a thorough security audit to protect against threat actors. 

AnyDesk has since released a new code signing certificate, but the previous code signing certificate is still a potential threat vector for signing malicious code. This Worklet is applicable regardless of whether or not you are an AnyDesk customer. 

Until you have confirmed the relevant certificate revocation is in effect within your environment, regular detection and remediation of the compromised certificate is recommended for Windows endpoints.

Components of the Windows - Security - Mitigate AnyDesk Certificate Vulnerability Worklet

This Worklet consists of two key components working in unison to detect and address the potential vulnerability: an evaluation script and a remediation script. The evaluation script searches the Windows certificate store, for both the system and users, to locate any certificates with a serial number that matches AnyDesk’s compromised certificate. 

If such a match is discovered, the remediation script is triggered, and details about the software will be provided within the Automox log. Based on the Worklet configuration, these files will either be deleted or flagged. 

How does the Windows - Security - Mitigate AnyDesk Certificate Vulnerability Worklet work?

This Worklet conducts a thorough search across the system's drive for any .ps1, .exe, or .msi files signed with the compromised serial number, reporting found files but only removing them if explicitly instructed to do so through the $removeExecutable parameter. Upon finding a match, it records the certificate and software details within the Automox Activity Log, ensuring ease of traceability. It then proceeds with an exhaustive search throughout the device's files, pinpointing and logging any executables or PowerShell scripts signed with the compromised certificate.

Remediation is executed based on user configuration, with an option to remove the offending executables entirely or log the vulnerability for further monitoring. 

What’s the expected outcome when you use the Windows - Security - Mitigate AnyDesk Certificate Vulnerability Worklet?

Deploying the Mitigate AnyDesk Certificate Vulnerability Worklet leads to the fortification of the system against the compromised production systems' hazards. By identifying the traces of the compromised certificate and offering the ability to identify or remove any associated executables, the Worklet elevates the security posture of the Windows devices to which it is applied. 

This Worklet applies regardless of whether you are an AnyDesk customer – everyone should detect and remove regularly until you have confirmed the relevant certificate revocation is in effect within your environment.