Windows.Detection.TeamViewerLanguage :: Velociraptor

Windows.Detection.TeamViewerLanguage

This artifact enables collection of TeamViewer log entries for keyboard layout changes.

The artifact firstly searches for TeamViewer log filenames, then applies yara to extract log lines. The artifact by default hunts for Chinese, Vietnamese and Russian language changes as priority, then uses a catch all for generic changes. You can add additional targeted yara as desired to sort output.

In each log entry there are two language codes, the first being keyboard layout of the connecting system and the second one the default input profile of the target host. The same language codes could indicate legitimate support.

Lookup Language codes at the Microsoft link for references. Examples below:

0409 - US English
0419 - Russian
0804 - Chinese Simplified
0404 - Chinese Traditional
042a - Vietnamese


name: Windows.Detection.TeamViewerLanguage
author: Matt Green - @mgreen27
description: |
   This artifact enables collection of TeamViewer log entries for keyboard layout 
   changes.  
   
   The artifact firstly searches for TeamViewer log filenames, then applies yara 
   to extract log lines. The artifact by default hunts for Chinese, Vietnamese 
   and Russian language changes as priority, then uses a catch all for generic 
   changes. You can add additional targeted yara as desired to sort output.  
   
   In each log entry there are two language codes, the first being keyboard 
   layout of the connecting system and the second one the default input profile 
   of the target host. The same language codes could indicate legitimate support.
   
   Lookup Language codes at the Microsoft link for references. Examples below:  
   
   0409 - US English  
   0419 - Russian  
   0804 - Chinese Simplified  
   0404 - Chinese Traditional  
   042a - Vietnamese  
   
reference:
  - https://twitter.com/cyb3rops/status/1600157565148483584
  - https://github.com/Neo23x0/signature-base/blob/master/yara/log_teamviewer_keyboard_layouts.yar
  - https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs?view=windows-11
  
type: CLIENT

parameters:
   - name: TargetFileRegex
     default: ^TeamViewer.._Logfile.*\.log$
     description: target teamviewer log filenames.
   - name: DriveLetter
     default: "C:"
   - name: AllDrives
     type: bool
   - name: LayoutRegex
     default: .
     description: Regex of Layout to filter for
   - name: YaraToScan
     description: Yata to scan. High priority rules first then catch all for generic changes at end.
     default: |
        rule LOG_TeamViewer_Connect_Chinese_Keyboard_Layout {
           meta:
              description = "Detects a suspicious TeamViewer log entry stating that the remote systems had a Chinese keyboard layout"
              author = "Florian Roth"
              date = "2019-10-12"
              modified = "2020-12-16"
              score = 60
              limit = "Logscan"
              reference = "https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs"
           strings:
              /* Source has Chinese simplified keyboard layout */
              $x1 = "Changing keyboard layout to: 0804" ascii
              $x2 = "Changing keyboard layout to: 042a"
              /* Avoiding Chinese to Chinese support cases */
              $fp1 = "Changing keyboard layout to: 08040804" ascii
              $fp2 = "Changing keyboard layout to: 042a042a" ascii
           condition:
              ( #x1 + #x2 ) > ( #fp1 + #fp2 )
        }
        rule LOG_TeamViewer_Connect_Russian_Keyboard_Layout {
           meta:
              description = "Detects a suspicious TeamViewer log entry stating that the remote systems had a Russian keyboard layout"
              author = "Florian Roth"
              date = "2019-10-12"
              modified = "2022-12-07"
              score = 60
              limit = "Logscan"
              reference = "https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs"
           strings:
              /* Source has Russian keyboard layout */
              $x1 = "Changing keyboard layout to: 0419" ascii
              /* Avoiding Russian to Russian support cases */
              $fp1 = "Changing keyboard layout to: 04190419" ascii
           condition:
              #x1 > #fp1
        }
        rule LOG_TeamViewer_Connect_any_Keyboard_Layout {
           meta:
              description = "Detects a generic TeamViewer log entry stating change in keyboard layout"
           strings:
             $x1 = "Changing keyboard layout to:" ascii
            condition:
              any of them
        }


sources:
  - precondition:
      SELECT OS From info() where OS = 'windows'

    query: |
      LET hits = SELECT OSPath,Rule,
        Meta.description as RuleDescription,
        filter(list=split(string=HitContext,sep='\r\n'),regex='Changing keyboard layout to')[0] as HitContent
      FROM Artifact.Windows.Detection.Yara.NTFS(
            FileNameRegex=TargetFileRegex,PathRegex='.',
            AllDrives=AllDrives,
            DriveLetter=DriveLetter,
            NumberOfHits=9999999, 
            ContextBytes=50,
            YaraRule=YaraToScan )
      

      LET details = SELECT*,
            parse_string_with_regex(string=HitContent,
            regex=[
                '^(?P<EventTime>\\d{4}.\\d{2}.\\d{2}.\\d{2}:\\d{2}:\\d{2}[^\\s]+)',
                'Changing keyboard layout to: (?P<KeyboardLayout>[^\\s]+)']) as Details
      FROM hits

      SELECT
        timestamp(string=Details.EventTime) as EventTime,
        Rule,
        Details.KeyboardLayout as KeyboardLayout,
        HitContent, 
        RuleDescription,
        OSPath
      FROM details
      WHERE KeyboardLayout =~ LayoutRegex