Delete teamviewer logs12/2/2023 ![]() Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. ![]() | String | $env:TEMP\TeamViewer_54.log|Īn adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. Run the prereq command to create it if it does not exist. | teamviewer_log_file | Teamviewer log file to delete. This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer ![]() This should provide a high true-positive alert ration. # Atomic Test #10 - Delete TeamViewer Log FilesĪdversaries may delete TeamViewer log files to hide activity. Atomic Test #10 - Delete TeamViewer Log Files Atomic Test #1: TeamViewer Files Detected Test on Windows Atomic Test #10: Delete TeamViewer Log Files Legitimate uses of TeamViewer in an organisation ' \TeamViewer\RemotePrinting\tvprint.db' Title : Installation of TeamViewer Desktopįile_event_win_screenconnect_artefact.ymlįile_event_win_susp_teamviewer_remote_session.ymlĭescription : Detects the creation of log files during a TeamViewer remote session Title : Suspicious TeamViewer Domain Accessĭescription : Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)įile_event_win_install_teamviewer_desktop.yml (Citation : Symantec Living off the Land) ' Mozilla/4.0 (compatible MSIE 6.0 DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer ![]() ' Mozilla/4.0 (compatible RMS)' # Attacks on industrial enterprises using RMS and TeamViewer While TeamViewer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes. The following table contains possible examples of TeamViewer.exe being misused.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |