TeamViewer Abuse (File Transfer & Remote Control)
This note documents detection patterns related to TeamViewer Abuse (File Transfer & Remote Control) within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Detects TeamViewer execution (TeamViewer.exe). |
| Sysmon | 1 | Process creation | Critical | Full command line + parent context. |
| Sysmon | 3 | Network connection | Critical | Connections to TeamViewer infra (port 5938 / 443 / 80). |
| Sysmon | 11 | File create | Critical | Captures transferred payload landing on disk. |
| Sysmon | 22 | DNS query | High | router*.teamviewer.com resolution. |
| Security | 5156 | Allowed connection | High | Confirms outbound TeamViewer traffic. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| File transfer without session | StreamType_File without desktop session | Critical | Staging behavior |
| Suspicious file write | Write file C:\Users\... | Critical | Direct evidence from TeamViewer logs |
| Separate process timelines | Different PIDs (G3 vs D3 logs) | High | Multi-process architecture |
| Reconnect after delay | File transfer → delay → desktop session | Critical | Classic attacker workflow |
| External participant | Unknown participant name / ID | High | Potential attacker identity |
| No browser involved | File appears without browser parent | High | Strong anomaly |
| Desktop switching anomalies | Winlogon / Default switching | Medium | Privilege / session interaction |
Common Tools
| Tool | Usage |
|---|---|
| TeamViewer.exe | Remote access / file transfer |
| TeamViewer_Service.exe | Background service |
| TeamViewer QS | QuickSupport attacker usage |
Relevant Artifacts
- TeamViewer Logs:
C:\Program Files\TeamViewer\TeamViewer*_Logfile.logC:\Users\<user>\AppData\Roaming\TeamViewer\
- Key Log Fields:
StreamType_FileWrite fileParticipant IDSessionIDrouter*.teamviewer.comConnectionAccessControl
- Sysmon Event IDs 1, 3, 11, 22
- Security Event ID 4688
- Security 5156
- Prefetch:
TEAMVIEWER.EXE - Amcache for transferred payload
- MFT / USN Journal for file creation
MITRE ATT&CK References
- T1105 Ingress Tool Transfer
- T1219 Remote Access Software
- T1071 Application Layer Protocol
Decision Tree
-
Was TeamViewer executed?
- Parent process
- User context
-
Network destination?
- router*.teamviewer.com
- External IP
-
File transferred?
- Log shows
Write file - File path
- Log shows
-
Was file executed?
- Child process
- Prefetch / Amcache
-
Expand:
- Persistence
- Additional sessions
- Lateral movement
Example Detection Templates
KQL
Sysmon
| where EventID == 3
| where DestinationPort in (5938,443,80)
| where Image has "TeamViewer"
Sigma
title: TeamViewer Suspicious Activity
logsource:
product: windows
service: sysmon
detection:
selection:
Image|contains: 'TeamViewer'
condition: selection
level: high
Snort Rule
alert tcp any any -> any 5938 (msg:"TeamViewer Traffic Detected"; sid:100001; rev:1;)
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Remote tools | Restrict TeamViewer usage | Critical | Prevent abuse |
| Network controls | Block port 5938 if not needed | High | Reduce exposure |
| Logging | Enable Sysmon + process tracking | Critical | Core visibility |
| EDR | Alert on TeamViewer file writes | High | Detect staging |