The detection identifies the use of TeamViewer to create processes, which is indicative of adversaries leveraging RMM tools for persistence or command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential compromise of endpoints through abuse of legitimate remote management tools.
KQL Query
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'TeamViewer'
and ProcessVersionInfoProductName has 'TeamViewer'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
id: 715e9eaf-cb93-4455-952f-744125677797
name: Remote Management and Monitoring tool - TeamViewer - Create Process
description: |
Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
let Time_start = now(-5d);
let Time_end = now();
//
DeviceProcessEvents
| where Timestamp between (Time_start..Time_end)
| where ProcessVersionInfoCompanyName has 'TeamViewer'
and ProcessVersionInfoProductName has 'TeamViewer'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp),
Report=make_set(ReportId), Count=count() by DeviceId, DeviceName
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: IT Admin Deploys TeamViewer for Remote Support
Description: A system administrator uses TeamViewer to remotely support an end-user’s workstation.
Filter/Exclusion: process.name != "TeamViewer" OR process.parent.name == "Remote Desktop Services" OR user.account == "IT_Admin_Account"
Scenario: Scheduled Job to Update TeamViewer on Multiple Systems
Description: A scheduled task runs to update TeamViewer on multiple endpoints via a centralized management console.
Filter/Exclusion: process.name == "TeamViewerUpdate" OR process.parent.name == "Task Scheduler" OR process.command_line contains "update"
Scenario: TeamViewer Used for Remote Desktop Access by IT Helpdesk
Description: The IT helpdesk uses TeamViewer to access user machines for troubleshooting.
Filter/Exclusion: process.parent.name == "Remote Desktop Services" OR user.account contains "Helpdesk" OR process.command_line contains "remote access"
Scenario: TeamViewer Installed via Group Policy for Endpoint Management
Description: TeamViewer is deployed via Group Policy to all endpoints as part of an enterprise endpoint management strategy.
Filter/Exclusion: process.parent.name == "GroupPolicy" OR process.command_line contains "install" OR user.account contains "Domain Admin"
Scenario: TeamViewer Used for Remote Monitoring of Network Devices
Description: Network administrators use TeamViewer to monitor and manage network devices (e.g., routers, switches) remotely.
Filter/Exclusion: process.parent.name == "Network Management Console" OR process.command_line contains "monitor" OR user.account contains "Network Admin"