From d388ce945c5716865c87d2084fcd9a620657f0bb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 8 Feb 2022 20:40:31 +0100 Subject: [PATCH 1/2] refactor: reduced level of TeamViewer rule --- rules/windows/dns_query/dns_net_susp_teamviewer.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/dns_query/dns_net_susp_teamviewer.yml b/rules/windows/dns_query/dns_net_susp_teamviewer.yml index ed64dcf2c..390ba7f2b 100644 --- a/rules/windows/dns_query/dns_net_susp_teamviewer.yml +++ b/rules/windows/dns_query/dns_net_susp_teamviewer.yml @@ -3,6 +3,7 @@ id: 778ba9a8-45e4-4b80-8e3e-34a419f0b85e description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation) status: experimental date: 2022/01/30 +date: 2022/02/08 author: Florian Roth references: - https://www.teamviewer.com/en-us/ @@ -23,4 +24,4 @@ detection: falsepositives: - Unknown binary names of TeamViewer - Other programs that also lookup the observed domain -level: high \ No newline at end of file +level: medium \ No newline at end of file From 9c7679e3192c175bc344bb3f73fae9fe323df256 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 8 Feb 2022 20:41:26 +0100 Subject: [PATCH 2/2] fix: duplicate date field --- rules/windows/dns_query/dns_net_susp_teamviewer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/dns_query/dns_net_susp_teamviewer.yml b/rules/windows/dns_query/dns_net_susp_teamviewer.yml index 390ba7f2b..ddfe7f510 100644 --- a/rules/windows/dns_query/dns_net_susp_teamviewer.yml +++ b/rules/windows/dns_query/dns_net_susp_teamviewer.yml @@ -3,7 +3,7 @@ id: 778ba9a8-45e4-4b80-8e3e-34a419f0b85e description: Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation) status: experimental date: 2022/01/30 -date: 2022/02/08 +modified: 2022/02/08 author: Florian Roth references: - https://www.teamviewer.com/en-us/