Product

TeamViewer

5 briefs RSS

Potential RemoteMonologue Attack via Registry Modification

This rule detects potential RemoteMonologue attacks by identifying attempts to perform session hijacking via COM object registry modification, specifically when the RunAs value is set to Interactive User.

MsMpEng.exe +4 remotemonologue defense-evasion persistence windows

2r 4t Jan 3, 2024

medium advisory

Multiple Remote Management Tool Vendors on Same Host

2 rules

This rule identifies Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.

AeroAdmin +60 remote-access-tool command-and-control rmm windows

2r Jan 3, 2024

medium advisory

Mshta Making Network Connections Indicative of Defense Evasion

2 rules 1 TTP

Mshta.exe making outbound network connections may indicate adversarial activity, as it is often used to execute malicious scripts and evade detection by proxying execution of untrusted code.

Amazon Assistant +3 defense-evasion system-binary-proxy-execution windows

2r 1t Jan 3, 2024

medium advisory

Remote File Copy via TeamViewer

2 rules 2 TTPs

Attackers may abuse legitimate utilities such as TeamViewer to deploy malware interactively by remotely copying executable or script files during a TeamViewer session.

Elastic Defend +2 command-and-control remote-access teamviewer

2r 2t Jan 3, 2024

medium advisory

Multiple Remote Management Tool Vendors on Same Host

3 rules

This detection identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.

AeroAdmin +55 command-and-control rmm windows threat-detection

3r Jan 2, 2024