One of the most recognized remote support tools, commonly misused in intrusions for interactive remote sessions owing to its widespread presence in corporate environments and no-configuration quick access.
| Run-Only [One Time Use] | TeamViewer Installed | Significance |
|---|---|---|
| %LocalAppData%\TeamViewer\Logs\TeamViewer15_Logfile.log | C:\Program Files\TeamViewer\TeamViewer15_Logfile.log | Wealth of Information! |
| %appdata%\TeamViewer\Connections.txt | %appdata%\TeamViewer\Connections.txt | Outgoing TeamViewer Connection Details |
| %temp%\TeamViewer\Connections_incoming.txt | C:\Program Files\TeamViewer\Connections_incoming.txt | Incoming TeamViewer Connection Details |
It stores each and every successful connection in a nice Keyword-Value format.
Start: 2023/01/09 09:46:04.501 (UTC)
Version: 15.37.3
Version short hash: 9191c897b9c
ID: 1430886940 //ID of the Target host
Loglevel: Info
License: 10000
IC: 1704214562
CPU: Intel64 Family 6 Model 85 Stepping 4, GenuineIntel
CPU extensions: l9
OS: Win_10.0.19044_W (64-bit)
IP: 192.168.50.194 //IP of the Target Host
MID: v95db4d5636b078d5bb4fdb78503a236c000c293a236c306f2db9b628a1f4910da6d0fc1267f8<~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~0dd0c5b4e712d7cef7750d93b4e6b006
MIDv: 2
Proxy-Settings: Type=1 IP= User=
IE 11.789.19041.0
AppPath: C:\\Users\\sansdfir\\AppData\\Local\\Temp\\TeamViewer\\TeamViewer.exe
UserAccount: sansdfir //User on the Target host
Successful Remote Connection
CPersistentParticipantManager::AddParticipant: [1430897608,-1706173441] type=6 name=WIN10VM
Legend:
1430897608: TeamViewer ID of the Source Machinetype=6 name=WIN10VM: Source HostnamePublic IP of the Source Host
punch received or a=2023/01/09 19:26:13.353 1472 3160 S0 UDPv4: punch received a=106.205.243.107:53628: (*)
File Download
Write file indicates that a file was dropped/downloaded on the Target