Friday, 22 November 2019

Hunting for suspicious use of TeamViewer - Part 1/2

N.B: TeamViewer (TV) is a great Remote Support (++) tool, and the objective of this post is to share some threat hunting ideas that could help spot malicious or abnormal usage of such tools (same principles can be applied to other third party legit Remote Support Tools).



Tools such as TV are used in a lot of environment for legit/justified business reasons, and for us as defenders we need to find ways to detect if indeed those tools are used as expected and what are the forensics and real time artefacts that we can leverage to get a better visibility level.

TV Components (High Level):
  • TeamViewer_Service.exe: TV core process which install itself as a standalone service (System Integrity Level)
  • TeamViewer.exe: is the main process for TV user GUI functions (Medium Integrity Level)
  • tv_w32.exe & tv_x64.exe: both used for TV logging (lock access to log file) and hooking specific functions (High IL)
  • TeamViewer_Desktop.exe: executes only when there is an active incoming remote support session via unattended access (System IL)


In term of networking, with exception of TeamViewer_Service.exe, all other processes connect to local host as a form of IPC between TV processes:




TV Netcon behavior can be summarized as below:

teamviwer_desktop.exe|teamviewer.exe:[localhost:high port] <-> teamviewer_service.exe [5939]<->*.teamviewer.com:5938 

In term of logging TV creates the following main "log" files:
  • tvchatfiledownloadhistory.db (encrypted)
  • TeamViewer**_Logfile.log: where * is indicative of TV version, 2 files with same file name one in program files and 2nd is in appdata\roaming)
  • Connections_Incoming.txt : logs time, userid and TV Session ID which can be used to correlate events - incoming connections.
  • Connections_Outgoing.txt: logs time, userid and TV Session ID which can be used to correlate events - outgoing connections.





The most verbose/useful log file is the TeamViwer**_Logfile.log within program files folder and with a DACL set to deny users from writing or changing the content of the file (administrators can of course delete the whole log file).

Logging is ON by default but can be turned off via GUI or setting propoerly certain registry values:


Once the logging is truned off (e.g. via GUI), following registry values get created (by default they get created only if you want to disable logging):



In this 1st part we will be covering the following hunting scenarios:
  1. Tampering attempts with TV logging
  2. File Transfer from attacker machine to TV client
  3. Request to autorize a new device (by default TV send email notification for the 1st time a new device connects to a TV client)
a) Defense Evasion - TV Logging Disabled:



b) File Transfer:

  • If tansfer is done using TV transfer files feature then the file creation on destination machine (TV client) will be logged as following:


While reviweing File Creation activity using production historical data, it shows that TeamViewer.exe usually create few files and majority of them are caching related files in:
  • AppData\Local\Microsoft\Windows\INetCache\IE\*
  • AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\*
So if you are interested to be informed of what files were dropped via TeamViewer File Transfer then use Sysmon or your EDR to monitor/hunt file creation activities by process name TeamViewer.exe.  We can also see traces ("FileDataSinkFileListWin::CreateFileInternal" and PID of TeamViewer.exe) of file transfer activity in the TeamViewer**_LogFile.log:



Unfortunately if the file was dropped via Drag and drop it's logged as being created by explorer.exe:


Looking at traces of file transfer within TeamViewer**_Logfile.log (program files) we can clearly see the explorer.exe PID (5244) and also clues ("DragInterceptor: Interception successful") about a file transfer activity:



For outbound file transfer (from TV client to attacker machine), Teamviewer.exe will read the file, then send it over the IPC netcon (port 5939) to TeamViewer_service.exe which send it to the *.teamviewer.com (port 5938)



All the transfered file names are not captured in the "TeamViewer**_LogFile.log", but high likely are captured in the tvchatfiledownloadhistory.db (encrypted/protected - will be covered in part 2).

c) New Device Autorization:

If the online (TV unattended access) credentials were compromised, once the attacker will try to logon for first time and supposedly that TV account is linked to the corporate email address, then high likely you can detect this notification email via your mail security gateway (custom message filter) which can be of huge value at warning your SOC and the TV account owner to reset the password before the damage is done (btw: enable TV 2FA ASAP!)



As a conclusion for this 1st part, you will need to understand it's usage mode (incoming or outgoing) as well as file transfer activity (needed/no) which can be disabled if not needed, alert on TV log file tampering including the log file deletion (if your EDR supports file deletion logging) and lastly make sure to enable 2FA for this kind of Remote Support tools even if it's rarely used.


That's all for this part, see you in part 2.







No comments:

Post a Comment