AnyDesk makes a remote connection
Introduction
AnyDesk is a popular remote desktop application that allows users to connect to and control other devices over the internet. While it is commonly used for legitimate remote support and administration, AnyDesk can also be exploited by attackers to gain unauthorized remote access to systems, bypass security controls, and maintain persistence within a network.
KQL
DeviceNetworkEvents
| where InitiatingProcessFileName == "AnyDesk.exe"
| where LocalIPType == "Private"
| where RemoteIPType == "Public"
| where RemoteUrl != "boot.net.anydesk.com" // Initial AnyDesk Connection when booted.
| project
Timestamp,
DeviceId,
InitiatingProcessAccountName,
ActionType,
RemoteIP,
RemotePort,
RemoteUrl
Reference: https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Defender%20For%20Endpoint/Network%20-%20AnyDeskConnectionToPublicIP.md