Add additional log paths to AnyDesk plugin (#362)

fox-it · Aug 17, 2023 · 1f58694 · 1f58694
1 parent 4381ca9
commit 1f58694
Showing 1 changed file with 20 additions and 8 deletions.
diff --git a/dissect/target/plugins/apps/remoteaccess/anydesk.py b/dissect/target/plugins/apps/remoteaccess/anydesk.py
@@ -15,26 +15,37 @@ class AnydeskPlugin(RemoteAccessPlugin):
 
     __namespace__ = "anydesk"
 
-    # Anydesk log when service (Windows)
-    GLOBS = [
-        "/sysvol/ProgramData/AnyDesk/*.trace",
+    # Anydesk logs when installed as a service
+    SERVICE_GLOBS = [
+        "/sysvol/ProgramData/AnyDesk/*.trace",  # Standard client >= Windows 7
+        "/sysvol/ProgramData/AnyDesk/ad_*/*.trace",  # Custom client >= Windows 7
+        "/var/log/anydesk*.trace",  # Standard/Custom client Linux/MacOS
+    ]
+
+    # User specific Anydesk logs
+    USER_GLOBS = [
+        "appdata/roaming/AnyDesk/*.trace",  # Standard client Windows
+        "appdata/roaming/AnyDesk/ad_*/*.trace",  # Custom client Windows
+        ".anydesk/*.trace",  # Standard client Linux/MacOS
+        ".anydesk_ad_*/*.trace",  # Custom client Linux/MacOS
     ]
 
     def __init__(self, target):
         super().__init__(target)
 
         self.logfiles = []
 
-        # Check service globs (Windows)
+        # Check service globs
         user = None
-        for log_glob in self.GLOBS:
+        for log_glob in self.SERVICE_GLOBS:
             for logfile in self.target.fs.glob(log_glob):
                 self.logfiles.append([logfile, user])
 
         # Anydesk logs when as user
         for user_details in self.target.user_details.all_with_home():
-            for logfile in user_details.home_path.glob("appdata/roaming/AnyDesk/*.trace"):
-                self.logfiles.append([logfile, user_details.user])
+            for log_glob in self.USER_GLOBS:
+                for logfile in user_details.home_path.glob(log_glob):
+                    self.logfiles.append([logfile, user_details.user])
 
     def check_compatible(self):
         if not (len(self.logfiles)):
@@ -45,10 +56,11 @@ def logs(self):
         """Return the content of the AnyDesk logs.
 
         AnyDesk is a remote desktop application and can be used by adversaries to get (persistent) access to a machine.
-        Log files (.trace files) are retrieved from /ProgramData/AnyDesk/ and AppData/roaming/AnyDesk/
+        Log files (.trace files) are retrieved from various location based on OS and client type.
 
         References:
             - https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html
+            - https://support.anydesk.com/knowledge/trace-files#trace-file-locations
         """
         for logfile, user in self.logfiles:
             logfile = self.target.fs.path(logfile)