Remote Management and Monitoring tool - TeamViewer - Network Connection

Hunt Hypothesis

Unusual network connections to known TeamViewer C2 servers may indicate an adversary leveraging a remote management tool for command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential persistent threats using RMM tools as a pivot point.

KQL Query

let Time_start = now(-5d);
let Time_end = now();
//
DeviceNetworkEvents
| where Timestamp between (Time_start..Time_end)
| where RemoteUrl has_any (
        'teamviewer.com',
        'teamviewer.cn'
    )
    and InitiatingProcessVersionInfoCompanyName has 'TeamViewer'
| summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
    Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
    RemoteUrl

Analytic Rule Definition

id: f5023daf-2ac2-407e-b079-6c3bc81d7e25
name: Remote Management and Monitoring tool - TeamViewer - Network Connection
description: |
    Remote Monitoring and Management (RMM) programs are IT to manage remote endpoints. Attackers have begun to abuse these programs to persist or provide C2 channels.
    https://github.com/jischell-msft/RemoteManagementMonitoringTools
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkEvents
tactics: CommandAndControl
relevantTechniques: T1219
query: |
  let Time_start = now(-5d);
  let Time_end = now();
  //
  DeviceNetworkEvents
  | where Timestamp between (Time_start..Time_end)
  | where RemoteUrl has_any (
          'teamviewer.com',
          'teamviewer.cn'
      )
      and InitiatingProcessVersionInfoCompanyName has 'TeamViewer'
  | summarize FirstSeen=min(Timestamp), LastSeen=max(Timestamp), 
      Report=make_set(ReportId), Count=count() by DeviceId, DeviceName,
      RemoteUrl

Required Data Sources

Sentinel Table	Notes
`DeviceNetworkEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: CommandAndControl
Technique: T1219 — T1219

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/RemoteManagementMonitoring/rmm_TeamViewer_netconn.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance via TeamViewer
Description: An IT administrator uses TeamViewer to perform routine system maintenance on a server during off-hours.
Filter/Exclusion: process.name != "TeamViewer" OR process.parent.name != "TeamViewer" OR destination.port != 992
Scenario: Remote Desktop Support Session
Description: A support technician connects to a user’s machine via TeamViewer to assist with a software issue.
Filter/Exclusion: process.name != "TeamViewer" OR user.account != "IT_Support_Account" OR destination.ip != "internal_network_ip"
Scenario: Automated Patching Job via TeamViewer
Description: A scheduled job runs via TeamViewer to apply security patches to multiple endpoints in the network.
Filter/Exclusion: process.name != "TeamViewer" OR process.parent.name != "Task Scheduler" OR destination.port != 992
Scenario: Remote Backup Job Using TeamViewer
Description: A backup system uses TeamViewer to securely transfer data from remote machines to a central backup server.
Filter/Exclusion: process.name != "TeamViewer" OR destination.port != 992 OR source.ip != "backup_server_ip"
Scenario: TeamViewer Used for Remote Monitoring of Network Devices
Description: Network administrators use TeamViewer to monitor and manage network devices (e.g., routers, switches) remotely.
Filter/Exclusion: process.name != "TeamViewer" OR destination.port != 992 OR source.ip != "network_admin_ip"