Remote Access Tool - Team Viewer Session Started On Linux Host
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
Sigma rule (View on GitHub)
1title: Remote Access Tool - Team Viewer Session Started On Linux Host
2id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
3related:
4 - id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
5 type: similar
6 - id: f459ccb4-9805-41ea-b5b2-55e279e2424a
7 type: similar
8status: test
9description: |
10 Detects the command line executed when TeamViewer starts a session started by a remote host.
11 Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
12references:
13 - Internal Research
14author: Josh Nickels, Qi Nan
15date: 2024-03-11
16tags:
17 - attack.persistence
18 - attack.initial-access
19 - attack.t1133
20logsource:
21 category: process_creation
22 product: linux
23detection:
24 selection:
25 ParentImage|endswith: '/TeamViewer_Service'
26 Image|endswith: '/TeamViewer_Desktop'
27 CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
28 condition: selection
29falsepositives:
30 - Legitimate usage of TeamViewer
31level: low
References
Related rules
- External Remote RDP Logon from Public IP
- External Remote SMB Logon from Public IP
- Failed Logon From Public IP
- OpenCanary - SSH Login Attempt
- OpenCanary - SSH New Connection Attempt