TeamViewer Remote Session
Detects the creation of log files during a TeamViewer remote session
Sigma rule (View on GitHub)
1title: TeamViewer Remote Session
2id: 162ab1e4-6874-4564-853c-53ec3ab8be01
3status: test
4description: Detects the creation of log files during a TeamViewer remote session
5references:
6 - https://www.teamviewer.com/en-us/
7author: Florian Roth (Nextron Systems)
8date: 2022/01/30
9tags:
10 - attack.command_and_control
11 - attack.t1219
12logsource:
13 product: windows
14 category: file_event
15detection:
16 selection1:
17 TargetFilename|endswith:
18 - '\TeamViewer\RemotePrinting\tvprint.db'
19 - '\TeamViewer\TVNetwork.log'
20 selection2:
21 TargetFilename|contains|all:
22 - '\TeamViewer'
23 - '_Logfile.log'
24 condition: 1 of selection*
25falsepositives:
26 - Legitimate uses of TeamViewer in an organisation
27level: medium
References
Related rules
- Antivirus Exploitation Framework Detection
- Anydesk Temporary Artefact
- GoToAssist Temporary Installation Artefact
- Installation of TeamViewer Desktop
- AnyDesk Network