Skip to content

Files

Latest commit

3c7dd1a · Dec 1, 2024

History

History
52 lines (42 loc) · 1.16 KB

Network - AnyDeskConnectionToPublicIP.md

File metadata and controls

52 lines (42 loc) · 1.16 KB

Detect when AnyDesk makes a remote connection

Query Information

MITRE ATT&CK Technique(s)

Technique ID Title Link
T1219 Remote Access Software https://attack.mitre.org/techniques/T1219/

Description

List devices from which AnyDesk makes a remote connection.

References

Defender XDR

DeviceNetworkEvents
| where InitiatingProcessFileName == "AnyDesk.exe"
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| where RemoteUrl != "boot.net.anydesk.com" // Initial AnyDesk Connection when booted.
| project
     Timestamp,
     DeviceId,
     InitiatingProcessAccountName,
     ActionType,
     RemoteIP,
     RemotePort,
     RemoteUrl

Sentinel

DeviceNetworkEvents
| where InitiatingProcessFileName == "AnyDesk.exe"
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| where RemoteUrl != "boot.net.anydesk.com" // Initial AnyDesk Connection when booted.
| project
     TimeGenerated,
     DeviceId,
     InitiatingProcessAccountName,
     ActionType,
     RemoteIP,
     RemotePort,
     RemoteUrl