TeamViewer
I found a TeamViewer_Service process running earlier
teamviewer is a cross-platform remote access and remote control computer software, allowing maintenance of computers and other devices
It’s mostly used for remote system administration and collaboration. Very similar to the RDP.
ps c:\Program Files (x86)> dir
directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/15/2018 3:28 AM Common Files
d----- 9/15/2018 5:06 AM Internet Explorer
d----- 2/23/2020 2:19 PM Microsoft SQL Server
d----- 2/23/2020 2:15 PM Microsoft.NET
d----- 2/19/2020 3:11 PM MSBuild
d----- 2/19/2020 3:11 PM Reference Assemblies
d----- 2/20/2020 2:14 AM TeamViewer
d----- 9/15/2018 5:05 AM Windows Defender
d----- 9/15/2018 3:19 AM Windows Mail
d----- 10/29/2018 6:39 PM Windows Media Player
d----- 9/15/2018 3:19 AM Windows Multimedia Platform
d----- 9/15/2018 3:28 AM windows nt
d----- 10/29/2018 6:39 PM Windows Photo Viewer
d----- 9/15/2018 3:19 AM Windows Portable Devices
d----- 9/15/2018 3:19 AM WindowsPowerShell i also found the installation directory at c:\Program Files (x86)\TeamViewer
ps c:\Program Files (x86)\TeamViewer> ls
directory: C:\Program Files (x86)\TeamViewer
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/27/2020 10:35 AM Version7The sub-directory shows that it’s the version 7
Installation Root
PS C:\Program Files (x86)\TeamViewer\Version7> ls
Directory: C:\Program Files (x86)\TeamViewer\Version7
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2/20/2020 2:14 AM x64
-a---- 8/7/2012 6:36 AM 8485 CopyRights.txt
-a---- 9/12/2012 7:36 AM 29920 License.txt
-a---- 5/29/2015 1:17 PM 8034096 TeamViewer.exe
-a---- 2/1/2023 5:27 AM 372299 TeamViewer7_Logfile.log
-a---- 2/27/2020 10:35 AM 1049114 TeamViewer7_Logfile_OLD.log
-a---- 5/29/2015 1:17 PM 2286896 TeamViewer_Desktop.exe
-a---- 5/29/2015 1:17 PM 279344 TeamViewer_Resource_ar.dll
-a---- 5/29/2015 1:17 PM 313136 TeamViewer_Resource_bg.dll
-a---- 5/29/2015 1:17 PM 299824 TeamViewer_Resource_cs.dll
-a---- 5/29/2015 1:18 PM 293680 TeamViewer_Resource_da.dll
-a---- 5/29/2015 1:17 PM 321328 TeamViewer_Resource_de.dll
-a---- 5/29/2015 1:17 PM 339760 TeamViewer_Resource_el.dll
-a---- 5/29/2015 1:17 PM 292144 TeamViewer_Resource_en.dll
-a---- 5/29/2015 1:18 PM 318768 TeamViewer_Resource_es.dll
-a---- 5/29/2015 1:18 PM 296752 TeamViewer_Resource_fi.dll
-a---- 5/29/2015 1:18 PM 333616 TeamViewer_Resource_fr.dll
-a---- 5/29/2015 1:17 PM 257840 TeamViewer_Resource_he.dll
-a---- 5/29/2015 1:17 PM 307504 TeamViewer_Resource_hr.dll
-a---- 5/29/2015 1:17 PM 316720 TeamViewer_Resource_hu.dll
-a---- 5/29/2015 1:17 PM 298288 TeamViewer_Resource_id.dll
-a---- 5/29/2015 1:18 PM 319280 TeamViewer_Resource_it.dll
-a---- 5/29/2015 1:17 PM 209712 TeamViewer_Resource_ja.dll
-a---- 5/29/2015 1:17 PM 208688 TeamViewer_Resource_ko.dll
-a---- 5/29/2015 1:17 PM 315696 TeamViewer_Resource_lt.dll
-a---- 5/29/2015 1:18 PM 313136 TeamViewer_Resource_nl.dll
-a---- 5/29/2015 1:18 PM 292144 TeamViewer_Resource_no.dll
-a---- 5/29/2015 1:17 PM 313136 TeamViewer_Resource_pl.dll
-a---- 5/29/2015 1:18 PM 308528 TeamViewer_Resource_pt.dll
-a---- 5/29/2015 1:17 PM 321840 TeamViewer_Resource_ro.dll
-a---- 5/29/2015 1:17 PM 308528 TeamViewer_Resource_ru.dll
-a---- 5/29/2015 1:17 PM 304944 TeamViewer_Resource_sk.dll
-a---- 5/29/2015 1:18 PM 306480 TeamViewer_Resource_sr.dll
-a---- 5/29/2015 1:18 PM 292144 TeamViewer_Resource_sv.dll
-a---- 5/29/2015 1:18 PM 291632 TeamViewer_Resource_th.dll
-a---- 5/29/2015 1:17 PM 302896 TeamViewer_Resource_tr.dll
-a---- 5/29/2015 1:18 PM 310064 TeamViewer_Resource_uk.dll
-a---- 5/29/2015 1:18 PM 322352 TeamViewer_Resource_vi.dll
-a---- 5/29/2015 1:17 PM 178992 TeamViewer_Resource_zhCN.dll
-a---- 5/29/2015 1:18 PM 180016 TeamViewer_Resource_zhTW.dll
-a---- 5/29/2015 1:17 PM 2869040 TeamViewer_Service.exe
-a---- 5/29/2015 1:17 PM 2589488 TeamViewer_StaticRes.dll
-a---- 2/20/2020 2:14 AM 47 tvinfo.ini
-a---- 5/29/2015 1:10 PM 68400 tv_w32.dll
-a---- 5/29/2015 1:10 PM 106800 tv_w32.exe
-a---- 5/29/2015 1:10 PM 82224 tv_x64.dll
-a---- 5/29/2015 1:10 PM 129840 tv_x64.exe
-a---- 5/29/2015 2:01 PM 612264 uninstall.exeWhile the majority of the files are executables, I see some other interesting files and directories
info
ps c:\Program Files (x86)\TeamViewer\Version7> cat tvinfo.ini
[Installation]
INSTEXE=TeamViewer7_Setup.exeThe tvinfo.ini file confirms the version again.
log
PS C:\Program Files (x86)\TeamViewer\Version7> cat TeamViewer7_Logfile.log | select-string administrator
2020/03/18 16:49:00.047 2976 2980 S0 CTerminalServer::StartGUIProcess() GUI process 4660 started for user
remote\administrator in session 1
2021/07/09 06:34:26.189 2996 3000 S0 CTerminalServer::StartGUIProcess() GUI process 1008 started for user
remote\administrator in session 1
2021/08/17 09:34:34.088 2380 2384 S0 CTerminalServer::StartGUIProcess() GUI process 4448 started for user
remote\administrator in session 1
2022/04/08 07:54:38.468 2144 2148 S0 CTerminalServer::StartGUIProcess() GUI process 4552 started for user
remote\administrator in session 1Checking the log file with a sorting option to get the string, “administrator”, reveals that the administrator user has indeed used the software
This is much anticipated as theadministrator user is the only “normal” user in the system
x64
ps c:\Program Files (x86)\TeamViewer\Version7> cd x64 ; ls
directory: C:\Program Files (x86)\TeamViewer\Version7\x64
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/7/2012 6:36 AM 10645 TeamViewerVPN.cat
-a---- 8/7/2012 6:36 AM 5391 TeamViewerVPN.inf
-a---- 9/12/2012 7:36 AM 35112 TeamViewerVPN.sy_
-a---- 8/7/2012 6:36 AM 7738 TVMonitor.cat
-a---- 8/7/2012 6:36 AM 1775 TVMonitor.inf
-a---- 9/12/2012 7:36 AM 16376 TVMonitor.sy_ Checking the x64 directory reveals a few files with unusual extensions.
as i am not that familiar with teamviewer, i made some research online and conclude those files with the following:
teamviewervpn.cat,teamviewervpn.inf, andteamviewervpn.sy_: These files are likely related to the VPN functionality provided by TeamViewer, and could contain information on how the VPN connection is established, the encryption keys used for the VPN connection, and other details that could be of interest to a threat actor.tvmonitor.cat,tvmonitor.inf, andtvmonitor.sy_: These files are likely related to the monitoring functionality provided by TeamViewer, and could contain information on what actions are being monitored, how they are being monitored, and any information being logged or transmitted. A threat actor might use this information to launch a malicious attack against the monitored system.
I also learned that TeamViewer below the versions 9.x is vulnerable to credential extraction. Moving on the Privilege Escalation phase