TeamViewer Log File Deleted

Hunt Hypothesis

The deletion of TeamViewer log files may indicate an adversary attempting to remove forensic evidence to obscure their presence and activity. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evidence destruction and respond before further compromise occurs.

Detection Rule

Sigma (Original)

title: TeamViewer Log File Deleted
id: b1decb61-ed83-4339-8e95-53ea51901720
status: test
description: Detects the deletion of the TeamViewer log files which may indicate an attempt to destroy forensic evidence
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
author: frack113
date: 2022-01-16
modified: 2023-02-15
tags:
    - attack.defense-evasion
    - attack.t1070.004
logsource:
    product: windows
    category: file_delete
detection:
    selection:
        TargetFilename|contains: '\TeamViewer_'
        TargetFilename|endswith: '.log'
    filter:
        Image: C:\Windows\system32\svchost.exe
    condition: selection and not filter
falsepositives:
    - Unknown
level: low

KQL (Azure Sentinel)

imFileEvent
| where (TargetFileName contains "\\TeamViewer_" and TargetFileName endswith ".log") and (not(TargetFilePath =~ "C:\\Windows\\system32\\svchost.exe"))

False Positive Guidance

• Scenario: A system administrator deletes TeamViewer log files as part of routine log rotation or maintenance.
  Filter/Exclusion: process.name != "logrotate" or process.name != "logrotate" AND process.name != "rsyslogd"

• Scenario: A scheduled job runs to clean up old log files, including TeamViewer logs, to manage disk space.
  Filter/Exclusion: process.name != "cleanlog.sh" or process.name != "log_cleanup_job"

• Scenario: An IT support tool or script is used to remove TeamViewer logs during a system audit or compliance check.
  Filter/Exclusion: process.name != "audit_tool.sh" or process.name != "compliance_check"

• Scenario: A user manually deletes TeamViewer logs after resolving an issue or troubleshooting a connectivity problem.
  Filter/Exclusion: process.name != "del" AND process.name != "rm" AND process.name != "erase"

• Scenario: A third-party monitoring tool or SIEM system temporarily deletes TeamViewer logs during a data ingestion or processing task.
  Filter/Exclusion: process.name != "siem_ingest" or process.name != "monitoring_agent"

MITRE ATT&CK Context

• Tactic: Defense Evasion
• Technique: T1070.004