Techniques
Sample rules
TeamViewer Domain Query By Non-TeamViewer Application
- source: sigma
- technicques:
- t1219
Description
Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn’t named TeamViewer (sometimes used by threat actors for obfuscation)
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_teamviewer:
Image|contains: TeamViewer
selection:
QueryName:
- taf.teamviewer.com
- udp.ping.teamviewer.com