Remote File Copy via TeamViewer

Attackers sometimes transfer malicious tools into a compromised environment using the command and control channel, but they also abuse legitimate utilities like TeamViewer to drop these files. TeamViewer is a remote access and control tool frequently used by help desks and system administrators for support activities; however, attackers and scammers also leverage it to deploy malware and conduct other malicious activities. This detection identifies instances of the TeamViewer process creating files with suspicious extensions on Windows systems, indicating potential misuse of the tool for unauthorized file transfers. The rule is designed to detect suspicious remote file copies during TeamViewer sessions, focusing on files with extensions commonly associated with executables and scripts.

Attack Chain

1. An attacker gains initial access to a system through various means.
2. The attacker installs or leverages an existing TeamViewer instance on the compromised system.
3. The attacker establishes a remote connection to the compromised system using TeamViewer.
4. The attacker initiates a file transfer session within TeamViewer.
5. The attacker transfers a malicious executable or script file (e.g., .exe, .dll, .ps1) to the compromised system.
6. The transferred file is saved to a location on the compromised system.
7. The attacker executes the transferred file, leading to further malicious activities such as malware installation or command execution.
8. The attacker performs post-exploitation activities, like lateral movement or data exfiltration.

Impact

Successful exploitation via remote file copy can lead to the introduction of malware into the targeted environment, potentially compromising sensitive data and causing significant operational disruption. The severity of the impact depends on the nature of the transferred file and the subsequent actions performed by the attacker.

Recommendation

• Deploy the Sigma rule TeamViewer Remote File Copy to your SIEM and tune for your environment.
• Investigate any alerts generated by this rule by examining process execution chains and file origins.
• Block the file extensions listed in the file.extension field in the query at the network level to prevent the transfer of potentially malicious files.
• Enable Elastic Defend or SentinelOne Cloud Funnel to collect the necessary file creation events to trigger the detection.
• Review TeamViewer usage within your organization and restrict its use to authorized personnel only.