40 lines
1.7 KiB
Text
40 lines
1.7 KiB
Text
|
|
rule LOG_TeamViewer_Connect_Chinese_Keyboard_Layout {
|
|
meta:
|
|
description = "Detects a suspicious TeamViewer log entry stating that the remote systems had a Chinese keyboard layout"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
date = "2019-10-12"
|
|
modified = "2020-12-16"
|
|
score = 60
|
|
limit = "Logscan"
|
|
reference = "https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs"
|
|
id = "f901818b-5150-540f-b645-686c12784a38"
|
|
strings:
|
|
/* Source has Chinese simplified keyboard layout */
|
|
$x1 = "Changing keyboard layout to: 0804" ascii
|
|
$x2 = "Changing keyboard layout to: 042a"
|
|
/* Avoiding Chinese to Chinese support cases */
|
|
$fp1 = "Changing keyboard layout to: 08040804" ascii
|
|
$fp2 = "Changing keyboard layout to: 042a042a" ascii
|
|
condition:
|
|
( #x1 + #x2 ) > ( #fp1 + #fp2 )
|
|
}
|
|
|
|
rule LOG_TeamViewer_Connect_Russian_Keyboard_Layout {
|
|
meta:
|
|
description = "Detects a suspicious TeamViewer log entry stating that the remote systems had a Russian keyboard layout"
|
|
author = "Florian Roth (Nextron Systems)"
|
|
date = "2019-10-12"
|
|
modified = "2022-12-07"
|
|
score = 60
|
|
limit = "Logscan"
|
|
reference = "https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs"
|
|
id = "360a1cca-2a64-5fd8-bcde-f49e1b17281e"
|
|
strings:
|
|
/* Source has Russian keyboard layout */
|
|
$x1 = "Changing keyboard layout to: 0419" ascii
|
|
/* Avoiding Russian to Russian support cases */
|
|
$fp1 = "Changing keyboard layout to: 04190419" ascii
|
|
condition:
|
|
#x1 > #fp1
|
|
}
|