Hi, I am looking for information on Teamviewer / Teamviewer_sevice.exe. We have a User (a Developer), so has admin rights to laptop. The user has installed teamviewer. I believe teamviewer_service is what allows some to be able to remote onto said computer.
From the logs with MS Defender ATP (AzureAD/Office365). I can see both appear in the timeline of actions/events.
What i am interested in is if someone is remoted onto the said computer! We believe the user may somewhere else and using this is look like in the UK!!!!!! Oh i work within the InfoSec department if you wondering why i am asking this.
Any advice to what to look for would be great.
I have entries like this, with different IP address at the end. would any of this have the source IP from where a remote connection would be coming from?
TeamViewer.exe successfully established connection with 127.0.0.1:49868 TeamViewer_Service.exe successfully established connection with 126.96.36.199:5938