Detectionmediumtest

Installation of TeamViewer Desktop

TeamViewer_Desktop.exe is create during install

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

François HubautCreated Fri Jan 289711de76-5d4f-4c50-a94f-21e4e8f8384dwindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|endswith: '\TeamViewer_Desktop.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Other

attack.t1219.002

Rule Metadata

Rule ID

9711de76-5d4f-4c50-a94f-21e4e8f8384d

Status

test

Level

medium

Type

Detection

Created

Fri Jan 28

Author

Path

rules/windows/file/file_event/file_event_win_install_teamviewer_desktop.yml

Raw Tags

attack.command-and-controlattack.t1219.002