Adversaries may use TeamViewer to establish remote access sessions on Linux hosts to exfiltrate data or maintain persistence. SOC teams should proactively hunt for this behavior to identify potential unauthorized remote access attempts in their Azure Sentinel environment.
Detection Rule
title: Remote Access Tool - Team Viewer Session Started On Linux Host
id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
related:
- id: ab70c354-d9ac-4e11-bbb6-ec8e3b153357
type: similar
- id: f459ccb4-9805-41ea-b5b2-55e279e2424a
type: similar
status: test
description: |
Detects the command line executed when TeamViewer starts a session started by a remote host.
Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
references:
- Internal Research
author: Josh Nickels, Qi Nan
date: 2024-03-11
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith: '/TeamViewer_Service'
Image|endswith: '/TeamViewer_Desktop'
CommandLine|endswith: '/TeamViewer_Desktop --IPCport 5939 --Module 1'
condition: selection
falsepositives:
- Legitimate usage of TeamViewer
level: low
imProcessCreate
| where (ParentProcessName endswith "/TeamViewer_Service" or ActingProcessName endswith "/TeamViewer_Service") and TargetProcessName endswith "/TeamViewer_Desktop" and TargetProcessCommandLine endswith "/TeamViewer_Desktop --IPCport 5939 --Module 1"Scenario: Scheduled System Maintenance via TeamViewer
Description: An admin uses TeamViewer to remotely access a Linux server to perform scheduled maintenance tasks such as log rotation, package updates, or configuration changes.
Filter/Exclusion: Check the teamviewer process command line for known maintenance scripts or tools like logrotate, apt, or yum. Exclude processes where the command line includes maintenance-related keywords or paths.
Scenario: Remote Support Session for a Linux Server
Description: A support technician connects to a Linux server using TeamViewer to troubleshoot an issue, such as a failed service or network connectivity problem.
Filter/Exclusion: Filter out sessions initiated by known support teams or internal IT helpdesk IPs. Exclude command lines that include support-related tools like netstat, tcpdump, or systemctl.
Scenario: Automated Backup Job Using TeamViewer
Description: A backup job is configured to run remotely via TeamViewer to access a Linux server and transfer data to a backup system.
Filter/Exclusion: Exclude processes where the command line includes backup tools like rsync, tar, or scp. Filter by the presence of backup job identifiers or scheduled task names.
Scenario: Remote Configuration Management via TeamViewer
Description: An admin uses TeamViewer to access a Linux host to configure system settings, such as firewall rules, SSH configurations, or cron jobs.
Filter/Exclusion: Exclude command lines that include configuration management tools like iptables, ufw, ssh_config, or crontab. Filter by known admin user accounts or IP ranges used for configuration tasks.
Scenario: TeamViewer Used for Remote Monitoring and Management (RMM) Tools
Description: A remote monitoring and management (RMM) tool, such as Lansweeper or Kaseya, uses Team