NF – POLICY – Teamviewer Master domain lookup
This alert is triggered when a DNS query from the internal network attempts to resolve a TeamViewer "master" domain, indicating that a device may be trying to establish a connection via TeamViewer.
ID Number
5002015
Signature
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"NF - POLICY - Teamviewer Master domain lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; pcre:"/master[0-9]{1,2}\x0ateamviewer\x03com/i"; reference:url,networkforensic.dk; metadata:05062016; classtype:policy-violation; sid:5002015; rev:1;)
Severity
High
Recommendations/Investigative actions
Determine which internal device is attempting to connect to TeamViewer’s servers to verify if this activity is authorized.
Check the device for TeamViewer or other remote access tools that may have been installed without authorization.
Block further TeamViewer-related DNS queries.