This detection rule aims to identify suspicious binary write activities generated by the AnyDesk application on Windows systems. AnyDesk is a remote desktop software that should primarily interact with google API through its legitimate library 'gcapi.dll'. However, under normal operational circumstances, AnyDesk should not write other executable files to disk. Research conducted by RedCanary highlights that writing files apart from 'gcapi.dll' often indicates potentially malicious behavior, such as the presence of malware using AnyDesk for command and control operations. The rule tracks any file operations where the source process is 'anydesk.exe' and actively filters out legitimate instances of 'gcapi.dll'. It uses a high-level alert indicating that the actions taken might compromise the endpoint's security.