{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata ā€” refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/remote-access/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["ip-kvm","vulnerability","remote-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 19, 2026, security researchers publicly disclosed the existence of vulnerabilities affecting IP KVM (Keyboard, Video, Mouse) devices from four unnamed manufacturers. While specific CVEs and technical details remain unconfirmed in the provided context, the general nature of IP KVM vulnerabilities poses a significant risk. These devices, which provide remote access and control over connected servers and workstations, are often deployed in sensitive environments such as data centers and industrial control systems. Exploitation could grant attackers unauthorized access, control, and data exfiltration capabilities. Without further information, organizations are advised to investigate their use of IP KVM devices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker identifies vulnerable IP KVM devices exposed to the network, potentially through Shodan or similar scanning tools.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Exploitation:\u003c/strong\u003e The attacker leverages an unspecified vulnerability in the IP KVM\u0026rsquo;s firmware or web interface. This could involve exploiting a buffer overflow, authentication bypass, or command injection flaw.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication Bypass (if applicable):\u003c/strong\u003e If the initial vulnerability allows it, the attacker bypasses authentication mechanisms to gain administrative access to the KVM device.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Access:\u003c/strong\u003e The attacker utilizes the compromised IP KVM to remotely access connected servers and workstations as if they were physically present at the console.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e Once on a connected system, the attacker attempts to escalate privileges to gain SYSTEM or root access, potentially exploiting known OS vulnerabilities or misconfigurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With elevated privileges, the attacker moves laterally to other systems on the network, using techniques like pass-the-hash or exploiting shared credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration / System Manipulation:\u003c/strong\u003e The attacker exfiltrates sensitive data from compromised systems or manipulates critical system configurations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence mechanisms (e.g., backdoors, scheduled tasks) on the compromised systems to maintain long-term access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of vulnerabilities in IP KVM devices can lead to severe consequences, including unauthorized access to critical systems, data breaches, and disruption of services. The number of potential victims is dependent on the number of vulnerable devices deployed across various organizations. Targeted sectors could include data centers, financial institutions, government agencies, and industrial control systems, all of which commonly rely on IP KVMs for remote server management. If the attack succeeds, organizations could suffer significant financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIdentify and inventory all IP KVM devices on your network to determine the affected manufacturers.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious connections to IP KVM devices, using a network intrusion detection system (NIDS).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious KVM Console Access\u0026rdquo; to identify unusual console activity related to KVM devices.\u003c/li\u003e\n\u003cli\u003eInvestigate any unusual process execution events originating from systems connected to IP KVM devices using process creation logs and the Sigma rule \u0026ldquo;Detect Potential KVM-Initiated Process\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eConduct regular vulnerability scans on IP KVM devices to identify and remediate known security weaknesses.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and multi-factor authentication for IP KVM devices to prevent unauthorized access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-19T17:26:04Z","date_published":"2026-03-19T17:26:04Z","id":"/briefs/2026-03-ip-kvm-vulns/","summary":"Researchers have disclosed unspecified vulnerabilities in IP KVM devices from four manufacturers, potentially allowing attackers to gain unauthorized access to connected systems.","title":"Vulnerabilities Disclosed in IP KVM Devices from Multiple Vendors","url":"https://feed.craftedsignal.io/briefs/2026-03-ip-kvm-vulns/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Elastic Endgame","Sysmon","AA_v*.exe","AeroAdmin.exe","AnyDesk.exe","apc_Admin.exe","apc_host.exe","AteraAgent.exe","aweray_remote*.exe","AweSun.exe","AgentMon.exe","B4-Service.exe","BASupSrvc.exe","bomgar-scc.exe","domotzagent.exe","domotz-windows-x64-10.exe","dwagsvc.exe","DWRCC.exe","ImperoClientSVC.exe","ImperoServerSVC.exe","ISLLight.exe","ISLLightClient.exe","fleetdeck_commander*.exe","getscreen.exe","g2aservice.exe","GoToAssistService.exe","gotohttp.exe","jumpcloud-agent.exe","level.exe","LvAgent.exe","LMIIgnition.exe","LogMeIn.exe","Lunixar.exe","LunixarRemote.exe","LunixarUpdater.exe","ManageEngine_Remote_Access_Plus.exe","MeshAgent.exe","Mikogo-Service.exe","NinjaRMMAgent.exe","NinjaRMMAgenPatcher.exe","ninjarmm-cli.exe","parsec.exe","PService.exe","quickassist.exe","r_server.exe","radmin.exe","radmin3.exe","RCClient.exe","RCService.exe","RemoteDesktopManager.exe","RemotePC.exe","RemotePCDesktop.exe","RemotePCService.exe","rfusclient.exe","ROMServer.exe","ROMViewer.exe","RPCSuite.exe","rserver3.exe","rustdesk.exe","rutserv.exe","rutview.exe","saazapsc.exe","ScreenConnect*.exe","session_win.exe","Remote Support.exe","smpcview.exe","spclink.exe","Splashtop-streamer.exe","Syncro.Overmind.Service.exe","SyncroLive.Agent.Runner.exe","SRService.exe","strwinclt.exe","Supremo.exe","SupremoService.exe","tacticalrmm.exe","tailscale.exe","tailscaled.exe","teamviewer.exe","ToDesk_Service.exe","twingate.exe","TiClientCore.exe","TSClient.exe","tvn.exe","tvnserver.exe","tvnviewer.exe","UltraVNC*.exe","UltraViewer*.exe","vncserver.exe","vncviewer.exe","winvnc.exe","winwvc.exe","Zaservice.exe","ZohoURS.exe","Velociraptor.exe","ToolsIQ.exe","CagService.exe","ScreenConnect.ClientService.exe","TiAgent.exe","GoToResolveProcessChecker.exe","GoToResolveUnattended.exe","Syncro.Installer.exe"],"_cs_severities":["medium"],"_cs_tags":["remote-access","rmm","command-and-control","persistence"],"_cs_type":"advisory","_cs_vendors":["Elastic","Action1 Corporation","AeroAdmin LLC","Ammyy LLC","Atera Networks Ltd","AWERAY PTE. LTD.","BeamYourScreen GmbH","Bomgar Corporation","DUC FABULOUS CO.,LTD","DOMOTZ INC.","DWSNET OƜ","FleetDeck Inc","GlavSoft LLC","Hefei Pingbo Network Technology Co. Ltd","IDrive, Inc.","IMPERO SOLUTIONS LIMITED","Instant Housecall","ISL Online Ltd.","LogMeIn, Inc.","LUNIXAR SAS DE CV","MMSOFT Design Ltd.","Nanosystems S.r.l.","NetSupport Ltd","NinjaRMM, LLC","Parallels International GmbH","philandro Software GmbH","Pro Softnet Corporation","RealVNC","Remote Utilities LLC","Rocket Software, Inc.","SAFIB","Servably, Inc.","ShowMyPC INC","Splashtop Inc.","Superops Inc.","TeamViewer","Techinline Limited","uvnc bvba","Yakhnovets Denis Aleksandrovich IP","Zhou Huabing","ZOHO Corporation Private Limited","Connectwise, LLC","BreakingSecurity.net","Tailscale","Twingate","RustDesk","Zoho","JumpCloud","ScreenConnect","GoTo"],"content_html":"\u003cp\u003eAttackers commonly abuse legitimate remote monitoring and management (RMM) tools and remote access software for command and control (C2), persistence, and execution of native commands on compromised endpoints. These tools provide attackers with the ability to maintain access, execute commands, and move laterally within a network. This detection identifies when a process associated with commonly abused RMM/remote access tools is observed for the first time on a host. The rule is designed to trigger when a new process name or code signature associated with RMM software, or a child process of such software, is seen within a configured history window. This helps defenders quickly identify potentially malicious use of legitimate tools.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to a target system through various methods, such as exploiting vulnerabilities or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eTool Deployment: The attacker deploys a remote monitoring and management (RMM) tool or remote access software on the compromised endpoint. This may involve downloading and installing the tool, or exploiting existing installations.\u003c/li\u003e\n\u003cli\u003ePersistence: The RMM tool is configured to run persistently on the system, ensuring that the attacker maintains access even after a reboot or other disruption. This may involve creating a service or adding a registry key to ensure the tool starts automatically.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The attacker uses the RMM tool to establish a command and control (C2) channel with the compromised system. This allows them to remotely execute commands, transfer files, and monitor activity on the system.\u003c/li\u003e\n\u003cli\u003eLateral Movement: Using the RMM tool, the attacker moves laterally within the network, compromising additional systems and escalating their access. This may involve using the tool to access shared resources or execute commands on other systems.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or Ransomware Deployment: The attacker uses their access to exfiltrate sensitive data from the compromised network or deploy ransomware to encrypt files and demand a ransom payment.\u003c/li\u003e\n\u003cli\u003eCleanup: The attacker may attempt to remove traces of their activity, such as logs or files associated with the RMM tool, to avoid detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via RMM tools can lead to significant data breaches, financial losses, and reputational damage. The use of legitimate tools makes detection more difficult. Successful attacks can result in ransomware deployment, data theft, and prolonged unauthorized access to sensitive systems. Organizations in all sectors are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the process creation rule to detect the execution of RMM tools on endpoints based on \u003ccode\u003eprocess.name\u003c/code\u003e and \u003ccode\u003eprocess.code_signature.subject_name\u003c/code\u003e criteria in the query.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the collection of necessary event data for the detection rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the detection rule to determine whether the execution of the RMM tool is authorized and legitimate. Refer to the references for a list of commonly abused RMM tools and associated indicators.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-24T12:00:00Z","date_published":"2024-01-24T12:00:00Z","id":"/briefs/2024-01-first-time-seen-rmm/","summary":"Detects the execution of previously unseen remote monitoring and management (RMM) tools or remote access software on compromised Windows endpoints, often leveraged for command-and-control, persistence, and execution of malicious commands.","title":"First Time Seen Remote Monitoring and Management Tool Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-first-time-seen-rmm/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Endpoint","Sysmon"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","remote-access","windows"],"_cs_type":"advisory","_cs_vendors":["TeamViewer","LogMeIn","AnyDesk","ScreenConnect","ConnectWise","Splashtop","Zoho","RustDesk","n-able","Kaseya","BeyondTrust","Tailscale","JumpCloud","VNC","Datto","Auvik","SyncroMSP","Pulseway","NinjaOne","Liongard","Naverisk","Panorama9","Tactical RMM","MeshCentral","ISL Online","Goverlan","Iperius","Remotix","Mikogo","Action1","Elastic"],"content_html":"\u003cp\u003eThis detection identifies DNS queries to commonly abused remote monitoring and management (RMM) or remote access software domains originating from processes that are not web browsers. This activity can indicate the use of legitimate RMM tools for malicious purposes, such as command and control, persistence, or lateral movement within a network. The detection aims to surface RMM clients, scripts, or other non-browser activities contacting these services without legitimate user interaction. Defenders should investigate processes making these queries to confirm expected behavior and validate the security posture of their managed assets. The rule is based on a list of known RMM domains and excludes common browser processes to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows host through unspecified means.\u003c/li\u003e\n\u003cli\u003eThe attacker deploys or leverages an existing RMM tool on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe RMM tool, running as a non-browser process, initiates a DNS query to resolve a command and control server associated with the RMM service (e.g., teamviewer.com).\u003c/li\u003e\n\u003cli\u003eThe DNS query is made by a process other than a known web browser (chrome.exe, firefox.exe, etc.).\u003c/li\u003e\n\u003cli\u003eThe compromised host establishes a connection to the resolved IP address associated with the RMM domain.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RMM tool to execute commands, transfer files, or perform other malicious activities on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the RMM tool for lateral movement, pivoting to other systems within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include data exfiltration, ransomware deployment, or maintaining persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise via abused RMM software can lead to full system compromise, data theft, or deployment of ransomware. While the number of affected victims is unknown, the sectors most likely to be impacted include any organization that relies on RMM tools for IT management. Successful exploitation allows attackers to bypass traditional security controls by using legitimate software, making detection more challenging.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;DNS Queries to Known RMM Domains from Non-Browser Processes\u0026rdquo; to your SIEM and tune the RMM domain list for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process responsible for the DNS query and its parent process.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized RMM tools.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon DNS event logging to ensure the necessary data is available for the detection rule.\u003c/li\u003e\n\u003cli\u003eCorrelate with other alerts to identify potential compromises.\u003c/li\u003e\n\u003cli\u003eReview process.code_signature for trusted RMM publishers and investigate any unsigned or unexpected signers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rmm-dns-non-browser/","summary":"Detection of DNS queries to remote monitoring and management (RMM) domains from non-browser processes indicating potential misuse of legitimate remote access tools for command and control.","title":"Suspicious DNS Queries to RMM Domains from Non-Browser Processes","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-dns-non-browser/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR"],"_cs_severities":["medium"],"_cs_tags":["command and control","rmm","msi","windows","remote access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies a suspicious sequence of events where an MSI installer is executed, followed by the launch of remote management software (RMM) such as ScreenConnect, Syncro, or VNC. Attackers may leverage this technique to gain unauthorized access to systems by first installing malicious software via an MSI package, and then using the RMM software to establish a remote connection. The rule specifically looks for msiexec.exe being run with an install argument (/i) followed by the execution of known RMM tools within a short timeframe. This behavior is often indicative of malicious actors attempting to establish persistent remote access to compromised machines. The detection is designed for Windows environments and covers a range of data sources including Elastic Defend, Sysmon, SentinelOne, Microsoft Defender XDR, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means (e.g., social engineering, compromised website, or existing malware).\u003c/li\u003e\n\u003cli\u003eThe attacker deploys a malicious MSI installer to the victim machine. This can be done through phishing attachments or drive-by downloads.\u003c/li\u003e\n\u003cli\u003eThe user executes the MSI installer (msiexec.exe) with an installation argument (/i or -i). The parent process is typically explorer.exe or sihost.exe, indicating user-initiated installation.\u003c/li\u003e\n\u003cli\u003eThe MSI installer executes, potentially installing malware or modifying system settings.\u003c/li\u003e\n\u003cli\u003eWithin one minute of the MSI installation, a remote management software (RMM) client is launched, such as ScreenConnect.ClientService.exe, Syncro.Installer.exe, tvnserver.exe, or winvnc.exe.\u003c/li\u003e\n\u003cli\u003eThe RMM client attempts to establish an outbound connection to a remote server controlled by the attacker, often using pre-configured access keys.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the compromised system via the RMM client. In the case of ScreenConnect, the attacker may use a guest link with a known session key.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as data exfiltration, lateral movement, or installing additional malware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain persistent remote access to compromised systems. This can lead to data theft, financial fraud, or disruption of services. Depending on the scope of the initial access, the attacker may be able to move laterally within the network, compromising additional systems. The use of RMM software can mask malicious activity as legitimate remote support, making detection more difficult.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging via Sysmon or Windows Security Event Logs to capture the execution of msiexec.exe and RMM tools.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Remote Management Access Launch After MSI Install\u0026rdquo; Sigma rule to your SIEM and tune the timeframe (maxspan) to suit your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the source of the MSI file and the destination of the RMM connection.\u003c/li\u003e\n\u003cli\u003eBlock the execution of unauthorized RMM software on your network based on process name, as identified in the rule (ScreenConnect.ClientService.exe, Syncro.Installer.exe, tvnserver.exe, winvnc.exe).\u003c/li\u003e\n\u003cli\u003eMonitor network connections for RMM software connecting to unusual or external IPs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-rmm-after-msi/","summary":"Detects an MSI installer execution followed by the execution of commonly abused Remote Management Software like ScreenConnect, potentially indicating abuse where an attacker triggers an MSI install then connects via a guest link with a known session key.","title":"Remote Management Access Launch After MSI Install","url":"https://feed.craftedsignal.io/briefs/2024-01-rmm-after-msi/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","TeamViewer"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","remote-access","teamviewer"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers sometimes transfer malicious tools into a compromised environment using the command and control channel, but they also abuse legitimate utilities like TeamViewer to drop these files. TeamViewer is a remote access and control tool frequently used by help desks and system administrators for support activities; however, attackers and scammers also leverage it to deploy malware and conduct other malicious activities. This detection identifies instances of the TeamViewer process creating files with suspicious extensions on Windows systems, indicating potential misuse of the tool for unauthorized file transfers. The rule is designed to detect suspicious remote file copies during TeamViewer sessions, focusing on files with extensions commonly associated with executables and scripts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker installs or leverages an existing TeamViewer instance on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a remote connection to the compromised system using TeamViewer.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a file transfer session within TeamViewer.\u003c/li\u003e\n\u003cli\u003eThe attacker transfers a malicious executable or script file (e.g., .exe, .dll, .ps1) to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe transferred file is saved to a location on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the transferred file, leading to further malicious activities such as malware installation or command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker performs post-exploitation activities, like lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via remote file copy can lead to the introduction of malware into the targeted environment, potentially compromising sensitive data and causing significant operational disruption. The severity of the impact depends on the nature of the transferred file and the subsequent actions performed by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eTeamViewer Remote File Copy\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule by examining process execution chains and file origins.\u003c/li\u003e\n\u003cli\u003eBlock the file extensions listed in the \u003ccode\u003efile.extension\u003c/code\u003e field in the query at the network level to prevent the transfer of potentially malicious files.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend or SentinelOne Cloud Funnel to collect the necessary file creation events to trigger the detection.\u003c/li\u003e\n\u003cli\u003eReview TeamViewer usage within your organization and restrict its use to authorized personnel only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-teamviewer-file-copy/","summary":"Attackers may abuse legitimate utilities such as TeamViewer to deploy malware interactively by remotely copying executable or script files during a TeamViewer session.","title":"Remote File Copy via TeamViewer","url":"https://feed.craftedsignal.io/briefs/2024-01-teamviewer-file-copy/"}],"language":"en","title":"CraftedSignal Threat Feed ā€” Remote-Access","version":"https://jsonfeed.org/version/1.1"}