Microsoft Defender Alert Details
Alert ID: MD-REMOTE-ACCESS-1219-7842 Alert Time: 2024-03-01 11:30:22 EST Severity: HIGH (85/100) Source: Microsoft Defender for Endpoint Rule: “Unauthorized Remote Access Software Installed” MITRE ATT&CK: T1219 – Remote Access Software
Alert Details:
Detection: Unauthorized remote access software (AnyDesk) installed and running
Host: FIN-WS-078 (Finance Workstation) User: bturner@company.com (Brian Turner, Accountant) Time: 11:15-11:30 EST
Software Details:
Name: AnyDesk
Version: 7.0.14
Install Path: C:\Users\bturner\AppData\Local\AnyDesk\
Executable: AnyDesk.exe (PID: 4789)
Install Time: 11:10 EST
Installation Source: Downloaded from suspicious URL
Configuration:
Unattended access enabled
Password set: “Finance2024!”
Auto-start enabled (registry Run key added)
Firewall exception added
Network Connections:
11:12 – Connection to anydesk.com (legitimate) – authentication
11:13 – Connection to 185.143.221[.]89:443 (suspicious)
11:15-11:30 – Active remote session from external IP
Detection Logic:
AnyDesk installed without IT approval
Unattended access enabled (allows remote control without consent)
Connection to known malicious IP during session
User bturner has no legitimate need for remote access software
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed unauthorized AnyDesk installation
2. Process Investigation
Identify AnyDesk process
CrowdStrike Falcon
AnyDesk running with active remote session
3. User Interview
Contact bturner
Teams, Phone
User did NOT install AnyDesk (account compromised)
4. Immediate Action
Terminate AnyDesk process
CrowdStrike
Process killed
5. Software Removal
Uninstall AnyDesk
CrowdStrike Live Response
AnyDesk removed; registry keys cleaned
6. Account Remediation
Disable bturner account
Azure AD, AD
Account disabled; password reset
Jira Incident Report
Ticket: SOC-2024-153 Summary: T1219 – Unauthorized AnyDesk Installation for Remote Access Status: RESOLVED Resolution: MALICIOUS – Remote Access Terminated Priority: P2 – MEDIUM Labels: T1219, remote-access-software, anydesk, defender, compromised-account Components: Endpoint-Security, Application-Control
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “Unauthorized Remote Access Software Installed”.
Host: FIN-WS-078 (Finance Department, user bturner).
Software: AnyDesk (remote access tool).
Time: 2024-03-01 11:30 EST.
Technique: MITRE ATT&CK T1219 – Remote Access Software.
2. Technical Analysis:
Attack Chain:
10:30 – bturner account compromised via phishing
10:45 – Attacker logs into FIN-WS-078 via RDP
10:50 – Attacker downloads AnyDesk installer
11:00 – AnyDesk installed with unattended access
11:05 – AnyDesk configured to phone home
11:10-11:30 – Active remote session
11:30 – Defender detects
AnyDesk Configuration:
Unattended Access: Enabled (allows remote control without user interaction)
Password: Finance2024! (known to attacker)
Auto-start: Registry Run key added
Firewall: Exception added to allow inbound connections
Remote Session Activity:
11:10-11:30 – Attacker connected remotely
Viewed financial documents (3 files)
Attempted to access banking portal (failed – MFA required)
Downloaded 2 files locally (staged)
No exfiltration detected
User Status:
Account compromised; user unaware
3. Investigation Findings:
Timeline:
10:30 – Account compromised
10:45 – Attacker logs in
10:50-11:00 – AnyDesk installed
11:10-11:30 – Remote session
11:30 – Defender alert
11:32 – SOC investigates
11:33 – AnyDesk terminated
11:34 – Software removed
Indicators of Compromise (IoCs):
Software:
– AnyDesk 7.0.14 (unauthorized)
– Unattended access enabled
Network:
– anydesk.com (legitimate, used for auth)
– 185.143.221[.]89:443 (suspicious)
Account:
– bturner (compromised)
4. Containment Actions:
Immediate Actions:
Terminated AnyDesk process.
Uninstalled AnyDesk.
Removed registry Run key.
Removed firewall exception.
Disabled bturner account.
Reset password.
Host Remediation:
Full scan (clean).
Reimaged as precaution.
User Remediation:
MFA enforced.
5. Root Cause Analysis:
Primary Cause: User account compromised, allowing attacker to install remote access tool.
Contributing Factors:
No MFA on account.
RDP allowed from internet.
No application control blocking unauthorized software.
6. Business Impact:
Operational Impact: Finance user offline for 2 hours.
Data Exposure: 3 financial documents viewed; 2 staged locally.
7. Remediation & Prevention:
Completed Actions:
Remote access terminated.
Software removed.
Account secured.
Technical Controls Enhanced:
Enforced MFA for all users.
Moved RDP behind VPN only.
Implemented application control (block unauthorized remote access tools).
Enhanced monitoring for remote access software installation.
8. Conclusion:
An attacker compromised a finance user’s account and installed AnyDesk with unattended access, establishing a remote session to view financial documents. Defender detected the unauthorized software and enabled rapid termination of the remote access.
Closure Rationale: Remote access terminated; software removed; account secured.
Analyst: [Your Name], SOC Analyst Date: 2024-03-01 12:30 EST