u/Andrew-CS posted some great options to search for applications in Next-Gen SIEM in his post about MoveIT.
(Modified for TeamViewer)
NG SIEM customers can navigate to "Advanced Event Search" and hunt for TeamViewer software executing. The following CQL query can be used:
// Check for string "teamviewer" in executing file path
#event_simpleName=ProcessRollup2 ImageFileName=/teamviewer/i
// Remove "\Device\\HarddiskVolume\" from file path if it exists
| regex("(\\\\Device\\\\HarddiskVolume\\d+)?(?.+$)", strict=false, field=ImageFileName)
// Aggregate by endpoint
| groupBy([aid, ComputerName], function=([collect([ShortFile])]))
// Merge details from aid_master
| aid=~match(file="aid_master_main.csv", column="aid", strict=false)
// Move FirstSeen from epoch to human-readable
| FirstSeen:=formatTime(format="%F %T %Z", field="FirstSeen")
// Move ProductType from decimal to human-redable
| $falcon/helper:enrich(field=ProductType)
// Get ipLocation data for external IP address, if available
| ipLocation(aip)
// Drop unnecessary fields
| drop([Time, aip.lat, aip.lon])
The following query can also be useful to hunt for installations:
// Check application installed events for string "teamviewer"
#event_simpleName=InstalledApplication AppName=/teamviewer/i
// Aggregate and show latest version number by aid, computername, and app name key
| groupBy([aid, ComputerName, AppName], function=([selectFromMax(field="@timestamp", include=[@timestamp, AppVersion])]))
If you have exposure management [Applications | Applications | Exposure management | Falcon (crowdstrike.com)](https://falcon.crowdstrike.com/discover/applications/inventory/applications/group-by-application?filter=name%3A%27TeamViewer%27)
We run this as a scheduled search to detect when remote access tools (RATs) hit the disk on endpoints. I haven't converted it from the old query language yet though.
`index=main (aa_v*.exe OR AeroAdmin.exe OR ammyy.exe OR anydesk.exe OR AnyViewerSetup.exe OR atera_agent.exe OR aweray_remote*.exe OR awhost32.exe OR awrem32.exe OR bomgar-rdp.exe OR bomgar-scc.exe OR CService.exe OR distant-desktop.exe OR dwagsvc.exe OR dwrcs.exe OR famitrfc.exe OR lmiguardiansvc.exe OR lmiignition.exe OR LogMeInIgnition.msi OR PCMonitorManager.exe OR pcmonitorsrv.exe OR radmin3.exe OR RCClient.exe OR remote_utility OR RemotePC.exe OR ROMFUSClient.exe OR ROMServer.exe OR rutserv.exe OR screenconnect.clientservice.exe OR ScreenConnect.msi OR screenconnect.windowsclient.exe OR showmypc*.exe OR smpcsetup.exe OR strwinclt.exe OR supremo.exe OR supremohelper.exe OR supremosystem.exe OR teamviewer.exe OR teamviewer_desktop.exe OR TeamViewer_Setup.exe OR UltraViewer_Desktop.exe OR vncsetup.exe OR vncviewer.exe OR winvnc.exe OR winvncsc.exe OR winwvc.exe OR Zaservice.exe OR ZohoMeeting.exe OR Zohours.exe) | table _time ComputerName UserName event_simpleName FilePath FileName ParentBaseFileName CommandLine`
We have a script to do this, that works with our without our product, feel free to look at it too.
If you run it outside Action1 it will just have a superfluous return value of A1\_Key.
Goes beyond Teamviewer and detects a large list of Agents by their default names.
If you see any agent missing, let us know and we will happily add it.
[https://github.com/Action1Corp/ReportDataSources/blob/main/RemoteControlAgentSearch.ps1](https://github.com/Action1Corp/ReportDataSources/blob/main/RemoteControlAgentSearch.ps1)
Yes, Charlotte AI is generally available. Quota is set per CID, much like how we treat Falcon Sandbox manual uploads. Try it out for a week by getting in contact with your accounts team.
[https://www.bleepingcomputer.com/news/security/teamviewers-corporate-network-was-breached-in-alleged-apt-hack/](https://www.bleepingcomputer.com/news/security/teamviewers-corporate-network-was-breached-in-alleged-apt-hack/) I think is what is being referred to here
u/Andrew-CS posted some great options to search for applications in Next-Gen SIEM in his post about MoveIT. (Modified for TeamViewer) NG SIEM customers can navigate to "Advanced Event Search" and hunt for TeamViewer software executing. The following CQL query can be used: // Check for string "teamviewer" in executing file path #event_simpleName=ProcessRollup2 ImageFileName=/teamviewer/i // Remove "\Device\\HarddiskVolume\" from file path if it exists | regex("(\\\\Device\\\\HarddiskVolume\\d+)?(?.+$)", strict=false, field=ImageFileName)
// Aggregate by endpoint
| groupBy([aid, ComputerName], function=([collect([ShortFile])]))
// Merge details from aid_master
| aid=~match(file="aid_master_main.csv", column="aid", strict=false)
// Move FirstSeen from epoch to human-readable
| FirstSeen:=formatTime(format="%F %T %Z", field="FirstSeen")
// Move ProductType from decimal to human-redable
| $falcon/helper:enrich(field=ProductType)
// Get ipLocation data for external IP address, if available
| ipLocation(aip)
// Drop unnecessary fields
| drop([Time, aip.lat, aip.lon])
The following query can also be useful to hunt for installations:
// Check application installed events for string "teamviewer"
#event_simpleName=InstalledApplication AppName=/teamviewer/i
// Aggregate and show latest version number by aid, computername, and app name key
| groupBy([aid, ComputerName, AppName], function=([selectFromMax(field="@timestamp", include=[@timestamp, AppVersion])]))
If you have exposure management [Applications | Applications | Exposure management | Falcon (crowdstrike.com)](https://falcon.crowdstrike.com/discover/applications/inventory/applications/group-by-application?filter=name%3A%27TeamViewer%27)
Always thought it was bizarre/oddly funny that Mercedes F1 is sponsored by both Crowdstrike and TeamViewer.
We run this as a scheduled search to detect when remote access tools (RATs) hit the disk on endpoints. I haven't converted it from the old query language yet though. `index=main (aa_v*.exe OR AeroAdmin.exe OR ammyy.exe OR anydesk.exe OR AnyViewerSetup.exe OR atera_agent.exe OR aweray_remote*.exe OR awhost32.exe OR awrem32.exe OR bomgar-rdp.exe OR bomgar-scc.exe OR CService.exe OR distant-desktop.exe OR dwagsvc.exe OR dwrcs.exe OR famitrfc.exe OR lmiguardiansvc.exe OR lmiignition.exe OR LogMeInIgnition.msi OR PCMonitorManager.exe OR pcmonitorsrv.exe OR radmin3.exe OR RCClient.exe OR remote_utility OR RemotePC.exe OR ROMFUSClient.exe OR ROMServer.exe OR rutserv.exe OR screenconnect.clientservice.exe OR ScreenConnect.msi OR screenconnect.windowsclient.exe OR showmypc*.exe OR smpcsetup.exe OR strwinclt.exe OR supremo.exe OR supremohelper.exe OR supremosystem.exe OR teamviewer.exe OR teamviewer_desktop.exe OR TeamViewer_Setup.exe OR UltraViewer_Desktop.exe OR vncsetup.exe OR vncviewer.exe OR winvnc.exe OR winvncsc.exe OR winwvc.exe OR Zaservice.exe OR ZohoMeeting.exe OR Zohours.exe) | table _time ComputerName UserName event_simpleName FilePath FileName ParentBaseFileName CommandLine`
We have a script to do this, that works with our without our product, feel free to look at it too. If you run it outside Action1 it will just have a superfluous return value of A1\_Key. Goes beyond Teamviewer and detects a large list of Agents by their default names. If you see any agent missing, let us know and we will happily add it. [https://github.com/Action1Corp/ReportDataSources/blob/main/RemoteControlAgentSearch.ps1](https://github.com/Action1Corp/ReportDataSources/blob/main/RemoteControlAgentSearch.ps1)
This is really nice - do you happen to also have something similar for Mac or Linux? If not we'll adapt this to bash and submit a PR.
It would run on Powershell Core, the issue would be that I have no insight into agent process names on those systems to make a decent index.
You can also set up an IOA rule to block it from running as a precaution.
Srs question, would charlotte Ai have an answer?
is this already available to customers? Is there an extra charge?
extra
Yes, Charlotte AI is generally available. Quota is set per CID, much like how we treat Falcon Sandbox manual uploads. Try it out for a week by getting in contact with your accounts team.
What news? This? https://www.teamviewer.com/en-us/resources/trust-center/statement/
[https://www.bleepingcomputer.com/news/security/teamviewers-corporate-network-was-breached-in-alleged-apt-hack/](https://www.bleepingcomputer.com/news/security/teamviewers-corporate-network-was-breached-in-alleged-apt-hack/) I think is what is being referred to here