Adversaries may use TeamViewer remote sessions to establish persistent access and exfiltrate data by creating log files to mask their activities. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential long-term persistence and data exfiltration attempts.
Detection Rule
title: TeamViewer Remote Session
id: 162ab1e4-6874-4564-853c-53ec3ab8be01
status: test
description: Detects the creation of log files during a TeamViewer remote session
references:
- https://www.teamviewer.com/en-us/
author: Florian Roth (Nextron Systems)
date: 2022-01-30
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: file_event
detection:
selection1:
TargetFilename|endswith:
- '\TeamViewer\RemotePrinting\tvprint.db'
- '\TeamViewer\TVNetwork.log'
selection2:
TargetFilename|contains|all:
- '\TeamViewer'
- '_Logfile.log'
condition: 1 of selection*
falsepositives:
- Legitimate uses of TeamViewer in an organisation
level: medium
imFileEvent
| where (TargetFileName endswith "\\TeamViewer\\RemotePrinting\\tvprint.db" or TargetFileName endswith "\\TeamViewer\\TVNetwork.log") or (TargetFileName contains "\\TeamViewer" and TargetFileName contains "_Logfile.log")Scenario: System administrator uses TeamViewer to remotely access a server to perform a scheduled backup job.
Filter/Exclusion: Exclude log file creation events associated with known backup tools (e.g., Veeam, Commvault, or rsync).
Scenario: IT staff uses TeamViewer to remotely configure a firewall or update system settings on a production server.
Filter/Exclusion: Exclude log file creation events when the process is initiated by a known administrative tool (e.g., PowerShell, Ansible, or Chef).
Scenario: A legitimate scheduled task runs a script that generates log files via TeamViewer for remote monitoring purposes.
Filter/Exclusion: Exclude log file creation events that occur during scheduled tasks (e.g., Task Scheduler jobs with known names or execution times).
Scenario: A developer uses TeamViewer to access a development environment and manually logs activity for debugging.
Filter/Exclusion: Exclude log file creation events where the source IP is from a known internal development network or the user is a known developer with elevated privileges.
Scenario: A third-party service provider uses TeamViewer to access a customer’s system for routine maintenance or support.
Filter/Exclusion: Exclude log file creation events where the user is a known service account or the session is part of a documented support contract.