Suspicious Keyboard Layout Load

Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only

Sigma rule (View on GitHub)

 1title: Suspicious Keyboard Layout Load
 2id: 34aa0252-6039-40ff-951f-939fd6ce47d8
 3status: test
 4description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
 5references:
 6    - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
 7    - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
 8author: Florian Roth (Nextron Systems)
 9date: 2019/10/12
10modified: 2023/08/17
11tags:
12    - attack.resource_development
13    - attack.t1588.002
14logsource:
15    category: registry_set
16    product: windows
17    definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
18detection:
19    selection_registry:
20        TargetObject|contains:
21            - '\Keyboard Layout\Preload\'
22            - '\Keyboard Layout\Substitutes\'
23        Details|contains:
24            - 00000429  # Persian (Iran)
25            - 00050429  # Persian (Iran)
26            - 0000042a  # Vietnamese
27    condition: selection_registry
28falsepositives:
29    - Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)
30level: medium

References

Related rules

to-top