Remote Access Tool - Team Viewer Session Started On MacOS Host
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
Sigma rule (View on GitHub)
1title: Remote Access Tool - Team Viewer Session Started On MacOS Host
2id: f459ccb4-9805-41ea-b5b2-55e279e2424a
3related:
4 - id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
5 type: similar
6 - id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
7 type: similar
8status: experimental
9description: |
10 Detects the command line executed when TeamViewer starts a session started by a remote host.
11 Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
12references:
13 - Internal Research
14author: Josh Nickels, Qi Nan
15date: 2024-03-11
16tags:
17 - attack.initial-access
18 - attack.t1133
19logsource:
20 category: process_creation
21 product: macos
22detection:
23 selection:
24 ParentImage|endswith: '/TeamViewer_Service'
25 Image|endswith: '/TeamViewer_Desktop'
26 CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
27 condition: selection
28falsepositives:
29 - Legitimate usage of TeamViewer
30level: low
References
Related rules
- External Remote RDP Logon from Public IP
- External Remote SMB Logon from Public IP
- Failed Logon From Public IP
- OpenCanary - SSH Login Attempt
- OpenCanary - SSH New Connection Attempt