This detection rule identifies potentially malicious activity by monitoring DNS queries directed to TeamViewer domains that should ordinarily only be resolved by the TeamViewer application. The rule specifically checks if the query originates from a process whose image name does not include 'TeamViewer.' This is a common tactic employed by threat actors to obfuscate their malicious actions by using legitimate services. By targeting DNS queries related to TeamViewer, which is a tool often used for remote access and control, this rule aims to flag suspicious usage patterns that could indicate the presence of malware or unauthorized access attempts. Organizations should ensure that they analyze these alerts closely as the presence of TeamViewer can be legitimate in many environments, requiring tuning to reduce false positives. The rule is set to medium severity, reflecting its significance in detecting potential threats while acknowledging that legitimate applications may trigger the detection occasionally.