The 'Remote File Copy via TeamViewer' detection rule targets potential abuse of the TeamViewer application, commonly used for remote access, to detect unauthorized file transfers in a Windows environment. It uses EQL (Event Query Language) to identify scenarios where an executable or script file is created via TeamViewer. The rule triggers on file creation events in the context of the TeamViewer process, specifically focusing on files with certain extensions often associated with malware or scripts. Additionally, exceptions are made for valid file paths and signed executables to reduce false positives. The rule integrates with logs from SentinelOne and Elastic's endpoint data, maintaining a medium risk score due to the common legitimate use of TeamViewer, which necessitates thorough analysis when alerts are triggered. Analysts are encouraged to investigate the process execution chain and consult additional investigation steps outlined in a triage guide, which includes checking DNS cache, registry events, and relevant user activities. The rule aligns with tactics for Command and Control as defined by the MITRE ATT&CK framework, specifically techniques like 'Ingress Tool Transfer' and 'Remote Access Software'.