depending on the environment the rule might require some initial tuning before usage to avoid fp with third party applications

t1219
windows
sigma

Techniques

t1219

Sample rules

TeamViewer Domain Query By Non-TeamViewer Application

source: sigma
technicques:
- t1219

Description

Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn’t named TeamViewer (sometimes used by threat actors for obfuscation)

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_teamviewer:
  Image|contains: TeamViewer
selection:
  QueryName:
  - taf.teamviewer.com
  - udp.ping.teamviewer.com