TeamViewer Remote Session
Detects the creation of log files during a TeamViewer remote session
Sigma rule (View on GitHub)
1title: TeamViewer Remote Session
2id: 162ab1e4-6874-4564-853c-53ec3ab8be01
3status: test
4description: Detects the creation of log files during a TeamViewer remote session
5references:
6 - https://www.teamviewer.com/en-us/
7author: Florian Roth (Nextron Systems)
8date: 2022-01-30
9tags:
10 - attack.command-and-control
11 - attack.t1219
12logsource:
13 product: windows
14 category: file_event
15detection:
16 selection1:
17 TargetFilename|endswith:
18 - '\TeamViewer\RemotePrinting\tvprint.db'
19 - '\TeamViewer\TVNetwork.log'
20 selection2:
21 TargetFilename|contains|all:
22 - '\TeamViewer'
23 - '_Logfile.log'
24 condition: 1 of selection*
25falsepositives:
26 - Legitimate uses of TeamViewer in an organisation
27level: medium
References
-
Remote desktop access solutions by TeamViewer: Connect to remote computers, provide remote support, and collaborate online. Free for personal use!
Read More
Related rules
- Anydesk Temporary Artefact
- DNS Query To AzureWebsites.NET By Non-Browser Process
- GoToAssist Temporary Installation Artefact
- HackTool - Inveigh Execution Artefacts
- HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators