This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.

« Potential Remote Desktop Tunneling Detected Potential Credential Access via Windows Utilities »

› ›

Remote File Copy via TeamViewer

edit

Remote File Copy via TeamViewer

edit

Identifies an executable or script file remotely downloaded via a TeamViewer transfer session.

Rule type: eql

Rule indices:

winlogbeat-*
logs-endpoint.events.*
logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html

Tags:

Elastic
Host
Windows
Threat Detection
Command and Control

Version: 5

Rule authors:

Elastic

Rule license: Elastic License v2

Rule query

edit

file where event.type == "creation" and process.name : "TeamViewer.exe" and
  file.extension : ("exe", "dll", "scr", "com", "bat", "ps1", "vbs", "vbe", "js", "wsh", "hta")

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Ingress Tool Transfer
- ID: T1105
- Reference URL: https://attack.mitre.org/techniques/T1105/
Technique:
- Name: Remote Access Software
- ID: T1219
- Reference URL: https://attack.mitre.org/techniques/T1219/

« Potential Remote Desktop Tunneling Detected Potential Credential Access via Windows Utilities »