Techniques
Sample rules
Remote Access Tool - Team Viewer Session Started On MacOS Host
- source: sigma
- technicques:
- t1133
Description
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the “incoming_connections.txt” log file in the TeamViewer folder.
Detection logic
condition: selection
selection:
CommandLine|endswith: /TeamViewer_Desktop --IPCport 5939 --Module 1
Image|endswith: /TeamViewer_Desktop
ParentImage|endswith: /TeamViewer_Service
Remote Access Tool - Team Viewer Session Started On Windows Host
- source: sigma
- technicques:
- t1133
Description
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the “incoming_connections.txt” log file in the TeamViewer folder.
Detection logic
condition: selection
selection:
CommandLine|endswith: TeamViewer_Desktop.exe --IPCport 5939 --Module 1
Image: TeamViewer_Desktop.exe
ParentImage: TeamViewer_Service.exe
Remote Access Tool - Team Viewer Session Started On Linux Host
- source: sigma
- technicques:
- t1133
Description
Detects the command line executed when TeamViewer starts a session started by a remote host. Once a connection has been started, an investigator can verify the connection details by viewing the “incoming_connections.txt” log file in the TeamViewer folder.
Detection logic
condition: selection
selection:
CommandLine|endswith: /TeamViewer_Desktop --IPCport 5939 --Module 1
Image|endswith: /TeamViewer_Desktop
ParentImage|endswith: /TeamViewer_Service