Sneed-Reactivity/yara-Neo23x0/log_teamviewer_keyboard_layouts.yar


rule LOG_TeamViewer_Connect_Chinese_Keyboard_Layout {
   meta:
      description = "Detects a suspicious TeamViewer log entry stating that the remote systems had a Chinese keyboard layout"
      author = "Florian Roth (Nextron Systems)"
      date = "2019-10-12"
      modified = "2020-12-16"
      score = 60
      limit = "Logscan"
      reference = "https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs"
      id = "f901818b-5150-540f-b645-686c12784a38"
   strings:
      /* Source has Chinese simplified keyboard layout */
      $x1 = "Changing keyboard layout to: 0804" ascii
      $x2 = "Changing keyboard layout to: 042a"
      /* Avoiding Chinese to Chinese support cases */
      $fp1 = "Changing keyboard layout to: 08040804" ascii
      $fp2 = "Changing keyboard layout to: 042a042a" ascii
   condition:
      ( #x1 + #x2 ) > ( #fp1 + #fp2 )
}

rule LOG_TeamViewer_Connect_Russian_Keyboard_Layout {
   meta:
      description = "Detects a suspicious TeamViewer log entry stating that the remote systems had a Russian keyboard layout"
      author = "Florian Roth (Nextron Systems)"
      date = "2019-10-12"
      modified = "2022-12-07"
      score = 60
      limit = "Logscan"
      reference = "https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs"
      id = "360a1cca-2a64-5fd8-bcde-f49e1b17281e"
   strings:
      /* Source has Russian keyboard layout */
      $x1 = "Changing keyboard layout to: 0419" ascii
      /* Avoiding Russian to Russian support cases */
      $fp1 = "Changing keyboard layout to: 04190419" ascii
   condition:
      #x1 > #fp1
}
OMG ISTG PLS WORK RED PILL :red_circle: :pill: 2024-07-25 12:43:35 -05:00
			`rule LOG_TeamViewer_Connect_Chinese_Keyboard_Layout {`
			`meta:`
			`description = "Detects a suspicious TeamViewer log entry stating that the remote systems had a Chinese keyboard layout"`
			`author = "Florian Roth (Nextron Systems)"`
			`date = "2019-10-12"`
			`modified = "2020-12-16"`
			`score = 60`
			`limit = "Logscan"`
			`reference = "https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs"`
			`id = "f901818b-5150-540f-b645-686c12784a38"`
			`strings:`
			`/* Source has Chinese simplified keyboard layout */`
			`$x1 = "Changing keyboard layout to: 0804" ascii`
			`$x2 = "Changing keyboard layout to: 042a"`
			`/* Avoiding Chinese to Chinese support cases */`
			`$fp1 = "Changing keyboard layout to: 08040804" ascii`
			`$fp2 = "Changing keyboard layout to: 042a042a" ascii`
			`condition:`
			`( #x1 + #x2 ) > ( #fp1 + #fp2 )`
			`}`

			`rule LOG_TeamViewer_Connect_Russian_Keyboard_Layout {`
			`meta:`
			`description = "Detects a suspicious TeamViewer log entry stating that the remote systems had a Russian keyboard layout"`
			`author = "Florian Roth (Nextron Systems)"`
			`date = "2019-10-12"`
			`modified = "2022-12-07"`
			`score = 60`
			`limit = "Logscan"`
			`reference = "https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs"`
			`id = "360a1cca-2a64-5fd8-bcde-f49e1b17281e"`
			`strings:`
			`/* Source has Russian keyboard layout */`
			`$x1 = "Changing keyboard layout to: 0419" ascii`
			`/* Avoiding Russian to Russian support cases */`
			`$fp1 = "Changing keyboard layout to: 04190419" ascii`
			`condition:`
			`#x1 > #fp1`
			`}`