The detection identifies the installation of TeamViewer Desktop, a remote access tool commonly used by adversaries for persistence and lateral movement. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate the risk of unauthorized remote access.
Detection Rule
title: Installation of TeamViewer Desktop
id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d
status: test
description: TeamViewer_Desktop.exe is create during install
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows
author: frack113
date: 2022-01-28
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\TeamViewer_Desktop.exe'
condition: selection
falsepositives:
- Unknown
level: medium
imFileEvent
| where TargetFileName endswith "\\TeamViewer_Desktop.exe"Scenario: System update or patching process includes TeamViewer as part of a pre-configured software bundle.
Filter/Exclusion: Check for Process.parent_process_name containing “Windows Update” or “PatchManager” and exclude if the parent process is known to deploy software.
Scenario: IT administrators install TeamViewer Desktop via a Group Policy Object (GPO) or SCCM deployment.
Filter/Exclusion: Filter by Process.user to exclude processes initiated by the local admin account or domain admin group, or check for Process.command_line containing GPO or SCCM deployment strings.
Scenario: A scheduled task runs a script that downloads and installs TeamViewer Desktop for remote support purposes.
Filter/Exclusion: Use Process.parent_process_name to exclude tasks initiated by schtasks.exe or TaskScheduler and verify the script path is known and authorized.
Scenario: A legitimate third-party tool or service (e.g., Remote Desktop Manager) includes TeamViewer as part of its integration or support tools.
Filter/Exclusion: Check for Process.parent_process_name containing known legitimate tools or services, and verify the installation path matches expected locations for such integrations.
Scenario: A developer or sysadmin manually installs TeamViewer Desktop for testing or development purposes.
Filter/Exclusion: Filter by Process.user to exclude non-administrator accounts or use a custom field to tag installations made by known developers or sysadmins.