Query Details
APT29 Team Viewer Activity Detection
Query
//This query detects TeamViewer connections to known APT29 associated IPs and URLs
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where InitiatingProcessCommandLine contains "teamviewer"
| where RemoteIPType == "Public"
| where RemoteIP in ( //List of known malicious IPs associated with APT29
"101.53.136.60",
"103.146.230.130",
"103.146.230.165",
"103.146.230.183",
"103.205.100.84",
"103.76.128.34",
"126.126.112.143",
"146.70.158.212",
"154.12.90.68",
"154.12.91.181",
"164.92.243.252",
"164.92.251.25",
"165.227.151.123",
"180.250.18.25",
"185.174.137.26",
"185.183.96.108",
"185.45.192.35",
"188.127.254.11",
"188.166.236.38",
"192.248.171.106",
"195.123.212.54",
"195.123.225.68",
"205.185.121.28",
"222.186.48.166",
"34.96.200.156",
"36.0.3.71",
"38.207.148.147",
"47.245.60.81",
"64.176.229.97",
"65.20.97.203",
"65.21.51.58",
"77.75.230.164",
"80.240.28.29",
"82.118.22.155",
"88.169.109.111"
)
or RemoteUrl in ( //List of known malicious URLs associated with APT29
"activelivingbu.top",
"aipricadd.top",
"beastdositadvtofm.site",
"bulemeuogroup.top",
"fbi.cab",
"firebasesafer.top",
"gen.fbi.cab",
"github.io",
"gonetis.lol",
"kernel.kernelcontrol.center",
"kernelcontrol.center",
"largeroofs.top",
"lenustsimodetoday.xyz",
"makeforlessu.name",
"namesolitive.top",
"netisap.site",
"netisd.link",
"netisgo.site",
"os.fbi.cab",
"presence-name.top",
"preshowname.top",
"proton.me",
"quickcheckx.github.io",
"siestakeying.com",
"sihugetdvtdoma.site",
"silentdomainjhsmdelete.site",
"singleacc.top",
"siotherlentsearsitech.shop",
"sxetldsofscvderv.top",
"tutanota.com",
"uuhkqnmzqkcejskbh.com",
"waterforvoiceless.org"
)
| project Timestamp, InitiatingProcessFileName, DeviceName, ActionType, RemoteIP, RemotePort, RemoteUrl Explanation
This query is designed to identify any TeamViewer connections made from devices within the last 30 days to IP addresses or URLs that are associated with the APT29 threat group, which is known for cyber espionage activities. Here's a simplified breakdown of what the query does:
-
Data Source: It examines network events from devices (
DeviceNetworkEvents). -
Time Frame: It focuses on events that occurred in the past 30 days.
-
TeamViewer Filter: It specifically looks for network events where the command line used to initiate the process includes "teamviewer", indicating the use of the TeamViewer application.
-
Public IP Filter: It only considers connections made to public IP addresses.
-
Malicious IPs and URLs: It checks if the remote IP address or URL involved in the connection matches a list of known malicious IPs and URLs associated with APT29.
-
Output: For any connections that meet these criteria, it outputs details including the timestamp of the event, the name of the initiating process, the device name, the type of action taken, the remote IP address and port, and the remote URL.
This query helps in detecting potentially suspicious or malicious activity involving TeamViewer connections to known APT29-related entities.
Details
Arnold Chan
Released: November 10, 2024
Tables
Keywords
Operators