Suspicious Remote File Copy via TeamViewer
Attackers may abuse TeamViewer, a legitimate remote access tool, to transfer malware or tools into a compromised environment by creating executable or script files with suspicious extensions.
Attackers commonly transfer malicious tools or malware into a compromised environment using command and control channels. They may also abuse legitimate utilities like TeamViewer to deliver these files. TeamViewer, a remote access and remote control tool used by helpdesks and system administrators, is sometimes exploited by attackers and scammers to deploy malware or conduct other malicious activities. This detection identifies instances where the TeamViewer process creates files with suspicious extensions on Windows systems, indicating a potential remote file copy operation for malicious purposes. This rule was last updated on 2026-03-19 and covers logs from the last 9 months.
Attack Chain
- The attacker gains initial access to a system (e.g., via phishing or exploiting a vulnerability).
- The attacker installs or uses an existing TeamViewer instance on the compromised system.
- The attacker establishes a remote connection to the compromised system via TeamViewer.
- The attacker uses TeamViewer's file transfer functionality to upload a malicious executable or script (e.g., a .exe, .dll, .ps1 file).
- TeamViewer.exe creates the malicious file on the compromised system.
- The attacker executes the transferred file, potentially gaining further access or control.
- The executed malware performs malicious actions such as privilege escalation, lateral movement, or data exfiltration.
Impact
Successful exploitation allows attackers to introduce malware or malicious tools onto a compromised system, potentially leading to data theft, system compromise, or further propagation within the network. While the number of victims is unknown, organizations relying on TeamViewer are at risk. If successful, the attacker could gain complete control over the affected system, leading to severe data breaches or operational disruptions.
Recommendation
- Deploy the Sigma rule
TeamViewer Remote File Copyto your SIEM to identify suspicious file creation events by TeamViewer (referencerules). - Investigate any alerts generated by the Sigma rule
TeamViewer Remote File Copyby reviewing the process execution chain and validating the legitimacy of the transferred files (referencerules). - Enable endpoint file creation logging to capture the events necessary for the
TeamViewer Remote File Copydetection to function effectively (referencerules). - Implement network monitoring to detect and block connections to known malicious TeamViewer servers (no IOCs present, but should be considered if additional data becomes available).
Detection coverage 2
TeamViewer Remote File Copy
mediumDetects suspicious file creation by TeamViewer with executable or script extensions, excluding common update paths.
TeamViewer Process Creation
infoDetects TeamViewer process execution, which can be used as a starting point for further investigation.
Detection queries are available on the platform. Get full rules →