Remote Access Tool - Team Viewer Session Started On Windows Host
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
Sigma rule (View on GitHub)
1title: Remote Access Tool - Team Viewer Session Started On Windows Host
2id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
3related:
4 - id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
5 type: similar
6 - id: f459ccb4-9805-41ea-b5b2-55e279e2424a
7 type: similar
8status: experimental
9description: |
10 Detects the command line executed when TeamViewer starts a session started by a remote host.
11 Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
12references:
13 - Internal Research
14author: Josh Nickels, Qi Nan
15date: 2024-03-11
16tags:
17 - attack.initial-access
18 - attack.t1133
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection:
24 Image: 'TeamViewer_Desktop.exe'
25 ParentImage: 'TeamViewer_Service.exe'
26 CommandLine|endswith: 'TeamViewer_Desktop.exe --IPCport 5939 --Module 1'
27 condition: selection
28falsepositives:
29 - Legitimate usage of TeamViewer
30level: low
References
Related rules
- External Remote RDP Logon from Public IP
- External Remote SMB Logon from Public IP
- Failed Logon From Public IP
- OpenCanary - SSH Login Attempt
- OpenCanary - SSH New Connection Attempt