{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/teamviewer/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","TeamViewer"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","remote-access","teamviewer"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne"],"content_html":"\u003cp\u003eAttackers sometimes transfer malicious tools into a compromised environment using the command and control channel, but they also abuse legitimate utilities like TeamViewer to drop these files. TeamViewer is a remote access and control tool frequently used by help desks and system administrators for support activities; however, attackers and scammers also leverage it to deploy malware and conduct other malicious activities. This detection identifies instances of the TeamViewer process creating files with suspicious extensions on Windows systems, indicating potential misuse of the tool for unauthorized file transfers. The rule is designed to detect suspicious remote file copies during TeamViewer sessions, focusing on files with extensions commonly associated with executables and scripts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means.\u003c/li\u003e\n\u003cli\u003eThe attacker installs or leverages an existing TeamViewer instance on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a remote connection to the compromised system using TeamViewer.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a file transfer session within TeamViewer.\u003c/li\u003e\n\u003cli\u003eThe attacker transfers a malicious executable or script file (e.g., .exe, .dll, .ps1) to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe transferred file is saved to a location on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the transferred file, leading to further malicious activities such as malware installation or command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker performs post-exploitation activities, like lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via remote file copy can lead to the introduction of malware into the targeted environment, potentially compromising sensitive data and causing significant operational disruption. The severity of the impact depends on the nature of the transferred file and the subsequent actions performed by the attacker.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eTeamViewer Remote File Copy\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule by examining process execution chains and file origins.\u003c/li\u003e\n\u003cli\u003eBlock the file extensions listed in the \u003ccode\u003efile.extension\u003c/code\u003e field in the query at the network level to prevent the transfer of potentially malicious files.\u003c/li\u003e\n\u003cli\u003eEnable Elastic Defend or SentinelOne Cloud Funnel to collect the necessary file creation events to trigger the detection.\u003c/li\u003e\n\u003cli\u003eReview TeamViewer usage within your organization and restrict its use to authorized personnel only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-teamviewer-file-copy/","summary":"Attackers may abuse legitimate utilities such as TeamViewer to deploy malware interactively by remotely copying executable or script files during a TeamViewer session.","title":"Remote File Copy via TeamViewer","url":"https://feed.craftedsignal.io/briefs/2024-01-teamviewer-file-copy/"}],"language":"en","title":"CraftedSignal Threat Feed — Teamviewer","version":"https://jsonfeed.org/version/1.1"}