The detection identifies potential adversary use of AnyDesk, a Remote Management and Monitoring tool, to establish persistence or command and control channels by leveraging its file signature. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential compromise of endpoints through abused RMM tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has_any ('anydesk software', 'philandro software')
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 5882eb11-389c-4095-87f2-e1d3ecaa956c
name: Remote Management and Monitoring tool - AnyDesk - File Signature
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileCertificateInfo
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceFileCertificateInfo
| where Timestamp between (Time_start..Time_end)
| where Signer has_any ('anydesk software', 'philandro software')
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
Scenario: IT Admin Uses AnyDesk for Remote Support
Description: A system administrator uses AnyDesk to provide remote support to end-users, which is a legitimate use case.
Filter/Exclusion: process.name != "AnyDesk" OR process.parent.name == "AnyDesk" (if the legitimate process is a child of AnyDesk)
Scenario: Scheduled Maintenance Task via AnyDesk
Description: A scheduled task is configured to run a maintenance script using AnyDesk to connect to remote machines for patching or configuration updates.
Filter/Exclusion: process.name == "AnyDesk" AND process.parent.name == "Task Scheduler" OR process.parent.name == "schtasks"
Scenario: AnyDesk Used for Remote Desktop Access
Description: IT staff uses AnyDesk as a remote desktop tool to access and manage endpoints, which is a common practice in enterprise environments.
Filter/Exclusion: process.name == "AnyDesk" AND process.parent.name == "Remote Desktop Services" OR process.parent.name == "mstsc.exe"
Scenario: AnyDesk Installed as Part of RMM Tool Suite
Description: AnyDesk is installed as part of a larger RMM tool suite (e.g., Kaseya, ConnectWise, or ManageEngine), and is used for legitimate remote management.
Filter/Exclusion: process.name == "AnyDesk" AND process.parent.name == "RMM_Tool_Name" (e.g., “KaseyaAgent.exe”)
Scenario: AnyDesk Used for Software Deployment
Description: IT uses AnyDesk to deploy software updates or configurations to remote endpoints as part of a standard deployment process.
Filter/Exclusion: process.name == "AnyDesk" AND process.parent.name == "Deployment_Tool_Name" (e.g.,