logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Detecting TeamViewer Install/Running

Status: Approved Submitted by on ‎08-01-2019 03:18 PM

Description: Looks for the TeamViewer service running on machines. This is used often when attackers gain access to a machine, running TeamViewer to allow them to access a machine.

What The Data Shows: TeamViewer running on a machine.

SQL: 

SELECT display_name,status,s.pid,p.path
FROM services AS s

JOIN processes AS p
USING(pid)

WHERE s.name LIKE "%teamviewer%";

 

2 Comments
jnelson
Carbon Black Employee
‎08-05-2019 10:45 AM
‎08-05-2019 10:45 AM
Status changed to: Approved
 
mided_heier
New Contributor II
‎04-05-2023 06:17 AM
‎04-05-2023 06:17 AM

Hi, 

This query does not include scenario when you just run TeamViewer (without installing it as a service). In that case you should use condition like shown bellow (process names are tv_w32.exe and/or tv_w32.exe)

SELECT name,path,state
FROM processes AS s
WHERE name LIKE "%tv_w%";

 

logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.