Skip to content
Threat Feed
medium advisory

Suspicious Remote File Copy via TeamViewer

Attackers may abuse TeamViewer, a legitimate remote access tool, to transfer malware or tools into a compromised environment by creating executable or script files with suspicious extensions.

Attackers commonly transfer malicious tools or malware into a compromised environment using command and control channels. They may also abuse legitimate utilities like TeamViewer to deliver these files. TeamViewer, a remote access and remote control tool used by helpdesks and system administrators, is sometimes exploited by attackers and scammers to deploy malware or conduct other malicious activities. This detection identifies instances where the TeamViewer process creates files with suspicious extensions on Windows systems, indicating a potential remote file copy operation for malicious purposes. This rule was last updated on 2026-03-19 and covers logs from the last 9 months.

Attack Chain

  1. The attacker gains initial access to a system (e.g., via phishing or exploiting a vulnerability).
  2. The attacker installs or uses an existing TeamViewer instance on the compromised system.
  3. The attacker establishes a remote connection to the compromised system via TeamViewer.
  4. The attacker uses TeamViewer's file transfer functionality to upload a malicious executable or script (e.g., a .exe, .dll, .ps1 file).
  5. TeamViewer.exe creates the malicious file on the compromised system.
  6. The attacker executes the transferred file, potentially gaining further access or control.
  7. The executed malware performs malicious actions such as privilege escalation, lateral movement, or data exfiltration.

Impact

Successful exploitation allows attackers to introduce malware or malicious tools onto a compromised system, potentially leading to data theft, system compromise, or further propagation within the network. While the number of victims is unknown, organizations relying on TeamViewer are at risk. If successful, the attacker could gain complete control over the affected system, leading to severe data breaches or operational disruptions.

Recommendation

  • Deploy the Sigma rule TeamViewer Remote File Copy to your SIEM to identify suspicious file creation events by TeamViewer (reference rules).
  • Investigate any alerts generated by the Sigma rule TeamViewer Remote File Copy by reviewing the process execution chain and validating the legitimacy of the transferred files (reference rules).
  • Enable endpoint file creation logging to capture the events necessary for the TeamViewer Remote File Copy detection to function effectively (reference rules).
  • Implement network monitoring to detect and block connections to known malicious TeamViewer servers (no IOCs present, but should be considered if additional data becomes available).

Detection coverage 2

TeamViewer Remote File Copy

medium

Detects suspicious file creation by TeamViewer with executable or script extensions, excluding common update paths.

sigma tactics: command_and_control techniques: T1105, T1219 sources: file_event, windows

TeamViewer Process Creation

info

Detects TeamViewer process execution, which can be used as a starting point for further investigation.

sigma tactics: command_and_control techniques: T1219 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →