Detect when AnyDesk makes a remote connection
Network Any Desk Connection To Public IP
Query
DeviceNetworkEvents
| where InitiatingProcessFileName == "AnyDesk.exe"
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| where RemoteUrl != "boot.net.anydesk.com" // Initial AnyDesk Connection when booted.
| project
Timestamp,
DeviceId,
InitiatingProcessAccountName,
ActionType,
RemoteIP,
RemotePort,
RemoteUrlAbout this query
Detect when AnyDesk makes a remote connection
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1219 | Remote Access Software | https://attack.mitre.org/techniques/T1219/ |
Description
List devices from which AnyDesk makes a remote connection.
References
Defender XDR
Sentinel
DeviceNetworkEvents
| where InitiatingProcessFileName == "AnyDesk.exe"
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| where RemoteUrl != "boot.net.anydesk.com" // Initial AnyDesk Connection when booted.
| project
TimeGenerated,
DeviceId,
InitiatingProcessAccountName,
ActionType,
RemoteIP,
RemotePort,
RemoteUrl
Explanation
This query is designed to detect when the remote access software AnyDesk is used to make a connection from a device. It focuses on identifying connections where AnyDesk is the initiating process, and it filters out initial connections to AnyDesk's boot server, which are considered normal.
Here's a breakdown of what the query does:
-
Data Source: The query examines network events from devices.
-
Process Filter: It specifically looks for events where the process initiating the connection is "AnyDesk.exe".
-
IP Type Filter:
- The connection must originate from a private IP address (indicating it's from within a local network).
- The destination must be a public IP address (indicating it's going out to the internet).
-
Exclusion: It excludes connections to "boot.net.anydesk.com", which is the server AnyDesk connects to when it starts up, as this is a normal and expected connection.
-
Output: The query outputs several details about each detected connection:
- Timestamp/TimeGenerated: When the connection event occurred.
- DeviceId: The identifier of the device making the connection.
- InitiatingProcessAccountName: The account name under which AnyDesk is running.
- ActionType: The type of network action recorded.
- RemoteIP: The public IP address to which the connection is made.
- RemotePort: The port number used for the connection.
- RemoteUrl: The URL associated with the remote connection.
This query is useful for security monitoring, as it helps identify potentially unauthorized or suspicious remote access activities using AnyDesk.
