TeamViewer Domain Query By Non-TeamViewer Application
Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
Sigma rule (View on GitHub)
1title: TeamViewer Domain Query By Non-TeamViewer Application
2id: 778ba9a8-45e4-4b80-8e3e-34a419f0b85e
3status: test
4description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)
5references:
6 - https://www.teamviewer.com/en-us/
7author: Florian Roth (Nextron Systems)
8date: 2022-01-30
9modified: 2023-09-18
10tags:
11 - attack.command-and-control
12 - attack.t1219
13logsource:
14 product: windows
15 category: dns_query
16detection:
17 selection:
18 QueryName:
19 - 'taf.teamviewer.com'
20 - 'udp.ping.teamviewer.com'
21 filter_main_teamviewer:
22 # Note: To avoid evasion based on similar names. Best add full install location of TeamViewer
23 Image|contains: 'TeamViewer'
24 condition: selection and not 1 of filter_main_*
25falsepositives:
26 - Unknown binary names of TeamViewer
27 - Depending on the environment the rule might require some initial tuning before usage to avoid FP with third party applications
28level: medium
References
Related rules
- Antivirus Exploitation Framework Detection
- Anydesk Temporary Artefact
- DNS Query To AzureWebsites.NET By Non-Browser Process
- GoToAssist Temporary Installation Artefact
- HackTool - Inveigh Execution Artefacts