Remote Access Tool - Team Viewer Session Started On Windows Host

Rule Info

Name
Remote Access Tool - Team Viewer Session Started On Windows Host
Author
Josh Nickels, Qi Nan
Description
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
Reference
Internal Research
Date
2024-03-11 00:00:00
Modified
None
Id
ab70c354-d9ac-4e11-bbb6-ec8e3b153357
Tags
attack.initial_access attack.t1133 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=ab70c354-d9ac-4e11-bbb6-ec8e3b153357

Rule History

Author
Title
Date
Commit
Josh
Merge PR #4759 from @joshnck - Add new rules covering incoming TeamViewer connection activity
2024-03-15
68511f711
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022