Remote Access Tool - Team Viewer Session Started On Windows Host
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
Sigma rule (View on GitHub)
1title: Remote Access Tool - Team Viewer Session Started On Windows Host
2id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
3related:
4 - id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
5 type: similar
6 - id: f459ccb4-9805-41ea-b5b2-55e279e2424a
7 type: similar
8status: test
9description: |
10 Detects the command line executed when TeamViewer starts a session started by a remote host.
11 Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
12references:
13 - Internal Research
14author: Josh Nickels, Qi Nan
15date: 2024-03-11
16tags:
17 - attack.persistence
18 - attack.initial-access
19 - attack.t1133
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection:
25 Image: 'TeamViewer_Desktop.exe'
26 ParentImage: 'TeamViewer_Service.exe'
27 CommandLine|endswith: 'TeamViewer_Desktop.exe --IPCport 5939 --Module 1'
28 condition: selection
29falsepositives:
30 - Legitimate usage of TeamViewer
31level: low
References
Related rules
- External Remote RDP Logon from Public IP
- External Remote SMB Logon from Public IP
- Failed Logon From Public IP
- OpenCanary - SSH Login Attempt
- OpenCanary - SSH New Connection Attempt