Highlighted
Posted by
Henagon

Teamviewer Connection Details

Hi,
I am looking for information on Teamviewer / Teamviewer_sevice.exe. We have a User (a Developer), so has admin rights to laptop. The user has installed teamviewer. I believe teamviewer_service is what allows some to be able to remote onto said computer.


From the logs with MS Defender ATP (AzureAD/Office365). I can see both appear in the timeline of actions/events.


What i am interested in is if someone is remoted onto the said computer! We believe the user may somewhere else and using this is look like in the UK!!!!!!
Oh i work within the InfoSec department if you wondering why i am asking this.


Any advice to what to look for would be great.


I have entries like this, with different IP address at the end. would any of this have the source IP from where a remote connection would be coming from?


TeamViewer.exe successfully established connection with 127.0.0.1:49868 TeamViewer_Service.exe successfully established connection with 37.252.254.183:5938


Thanks in advance