This detection rule targets the installation process of TeamViewer Desktop on Windows systems. The rule specifically looks for the creation of the executable file 'TeamViewer_Desktop.exe' during the installation phase. The approach uses a file event log to capture instances where this file is created, indicating that TeamViewer, a remote access and control software, has been installed on the host. Since TeamViewer is frequently utilized for legitimate remote support, its installation can also be indicative of potential unauthorized access or remote control by malicious actors if not properly authorized. This makes it necessary to monitor its installation closely. Additionally, the rule aims to help defend against attacks where unauthorized remote access is claimed by looking for this process. Given its potential for abuse, the rule's detection needs to differentiate between legitimate and potentially malicious installations, considering the frequency of false positives stemming from legitimate IT maintenance.