Detectionmediumtest

TeamViewer Domain Query By Non-TeamViewer Application

Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Sun Jan 30Updated Mon Sep 18778ba9a8-45e4-4b80-8e3e-34a419f0b85ewindows

Log Source

WindowsDNS Query

ProductWindows← raw: windows

CategoryDNS Query← raw: dns_query

DNS lookup events generated by endpoint monitoring tools.

Detection Logic

detection:
    selection:
        QueryName:
            - 'taf.teamviewer.com'
            - 'udp.ping.teamviewer.com'
    filter_main_teamviewer:
        # Note: To avoid evasion based on similar names. Best add full install location of TeamViewer
        Image|contains: 'TeamViewer'
    condition: selection and not 1 of filter_main_*

False Positives

Unknown binary names of TeamViewer

Depending on the environment the rule might require some initial tuning before usage to avoid FP with third party applications

References

Resolving title…

teamviewer.com

MITRE ATT&CK

Tactics

TA0011 · Command and Control

Other

attack.t1219.002

Rule Metadata

Rule ID

778ba9a8-45e4-4b80-8e3e-34a419f0b85e

Status

test

Level

medium

Type

Detection

Created

Sun Jan 30

Modified

Mon Sep 18

Author

Florian Roth (Nextron Systems)

Path

rules/windows/dns_query/dns_query_win_teamviewer_domain_query_by_uncommon_app.yml

Raw Tags

attack.command-and-controlattack.t1219.002

View on GitHub