Query Details

Detect when AnyDesk makes a remote connection

Network Any Desk Connection To Public IP

Query

DeviceNetworkEvents
| where InitiatingProcessFileName == "AnyDesk.exe"
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| where RemoteUrl != "boot.net.anydesk.com" // Initial AnyDesk Connection when booted.
| project
     Timestamp,
     DeviceId,
     InitiatingProcessAccountName,
     ActionType,
     RemoteIP,
     RemotePort,
     RemoteUrl

About this query

Detect when AnyDesk makes a remote connection

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1219Remote Access Softwarehttps://attack.mitre.org/techniques/T1219/

Description

List devices from which AnyDesk makes a remote connection.

References

Defender XDR

Sentinel

DeviceNetworkEvents
| where InitiatingProcessFileName == "AnyDesk.exe"
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| where RemoteUrl != "boot.net.anydesk.com" // Initial AnyDesk Connection when booted.
| project
     TimeGenerated,
     DeviceId,
     InitiatingProcessAccountName,
     ActionType,
     RemoteIP,
     RemotePort,
     RemoteUrl

Explanation

This query is designed to detect when the remote access software AnyDesk is used to make a connection from a device. It focuses on identifying connections where AnyDesk is the initiating process, and it filters out initial connections to AnyDesk's boot server, which are considered normal.

Here's a breakdown of what the query does:

  1. Data Source: The query examines network events from devices.

  2. Process Filter: It specifically looks for events where the process initiating the connection is "AnyDesk.exe".

  3. IP Type Filter:

    • The connection must originate from a private IP address (indicating it's from within a local network).
    • The destination must be a public IP address (indicating it's going out to the internet).
  4. Exclusion: It excludes connections to "boot.net.anydesk.com", which is the server AnyDesk connects to when it starts up, as this is a normal and expected connection.

  5. Output: The query outputs several details about each detected connection:

    • Timestamp/TimeGenerated: When the connection event occurred.
    • DeviceId: The identifier of the device making the connection.
    • InitiatingProcessAccountName: The account name under which AnyDesk is running.
    • ActionType: The type of network action recorded.
    • RemoteIP: The public IP address to which the connection is made.
    • RemotePort: The port number used for the connection.
    • RemoteUrl: The URL associated with the remote connection.

This query is useful for security monitoring, as it helps identify potentially unauthorized or suspicious remote access activities using AnyDesk.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

DeviceNetworkEvents

Keywords

DeviceNetworkEventsTimestampIdInitiatingProcessAccountNameActionTypeRemoteIPPortUrl

Operators

`|``where``==``!=``project`

MITRE Techniques

Actions

GitHub