Sneed-Reactivity/yara-Neo23x0/log_teamviewer_keyboard_layouts.yar
Sam Sneed 08e8d462fe OMG ISTG PLS WORK
RED PILL 🔴 💊
2024-07-25 12:43:35 -05:00

40 lines
1.7 KiB
Text

rule LOG_TeamViewer_Connect_Chinese_Keyboard_Layout {
meta:
description = "Detects a suspicious TeamViewer log entry stating that the remote systems had a Chinese keyboard layout"
author = "Florian Roth (Nextron Systems)"
date = "2019-10-12"
modified = "2020-12-16"
score = 60
limit = "Logscan"
reference = "https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs"
id = "f901818b-5150-540f-b645-686c12784a38"
strings:
/* Source has Chinese simplified keyboard layout */
$x1 = "Changing keyboard layout to: 0804" ascii
$x2 = "Changing keyboard layout to: 042a"
/* Avoiding Chinese to Chinese support cases */
$fp1 = "Changing keyboard layout to: 08040804" ascii
$fp2 = "Changing keyboard layout to: 042a042a" ascii
condition:
( #x1 + #x2 ) > ( #fp1 + #fp2 )
}
rule LOG_TeamViewer_Connect_Russian_Keyboard_Layout {
meta:
description = "Detects a suspicious TeamViewer log entry stating that the remote systems had a Russian keyboard layout"
author = "Florian Roth (Nextron Systems)"
date = "2019-10-12"
modified = "2022-12-07"
score = 60
limit = "Logscan"
reference = "https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs"
id = "360a1cca-2a64-5fd8-bcde-f49e1b17281e"
strings:
/* Source has Russian keyboard layout */
$x1 = "Changing keyboard layout to: 0419" ascii
/* Avoiding Russian to Russian support cases */
$fp1 = "Changing keyboard layout to: 04190419" ascii
condition:
#x1 > #fp1
}