LoFP / legitimate uses of teamviewer in an organisation

Techniques

t1219

Sample rules

TeamViewer Remote Session

source: sigma
technicques:
- t1219

Description

Detects the creation of log files during a TeamViewer remote session

Detection logic

condition: 1 of selection*
selection1:
  TargetFilename|endswith:
  - \TeamViewer\RemotePrinting\tvprint.db
  - \TeamViewer\TVNetwork.log
selection2:
  TargetFilename|contains|all:
  - \TeamViewer
  - _Logfile.log