Query Details
Network Any Desk Connection To Public IP
Query
# Detect when AnyDesk makes a remote connection
## Query Information
#### MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
| --- | --- | --- |
| T1219 | Remote Access Software | https://attack.mitre.org/techniques/T1219/ |
### Defender For Endpoint
```
DeviceNetworkEvents
| where InitiatingProcessFileName == "AnyDesk.exe"
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| where RemoteUrl != "boot.net.anydesk.com" // Initial AnyDesk Connection when booted.
| project
Timestamp,
DeviceId,
InitiatingProcessAccountName,
ActionType,
RemoteIP,
RemotePort,
RemoteUrl
```
### Sentinel
```
DeviceNetworkEvents
| where InitiatingProcessFileName == "AnyDesk.exe"
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| where RemoteUrl != "boot.net.anydesk.com" // Initial AnyDesk Connection when booted.
| project
TimeGenerated,
DeviceId,
InitiatingProcessAccountName,
ActionType,
RemoteIP,
RemotePort,
RemoteUrl
```
Explanation
This query detects when the remote access software AnyDesk makes a connection. It filters for events where the initiating process is AnyDesk.exe, the local IP is private, the remote IP is public, and the remote URL is not "boot.net.anydesk.com". The query then projects the timestamp (or time generated in Sentinel), device ID, initiating process account name, action type, remote IP, remote port, and remote URL.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
DeviceNetworkEvents
Keywords
DeviceNetworkEvents,InitiatingProcessFileName,LocalIPType,RemoteIPType,RemoteUrl,Timestamp,DeviceId,InitiatingProcessAccountName,ActionType,RemoteIP,RemotePort,TimeGenerated
Operators
where==!=|project