SigmaHQ/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml

title: Suspicious Keyboard Layout Load
id: 34aa0252-6039-40ff-951f-939fd6ce47d8
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems
    maintained by US staff only
references:
    - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
    - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
author: Florian Roth
date: 2019/10/12
modified: 2019/10/15
logsource:
    product: windows
    service: sysmon
    definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
detection:
    selection_registry:
        EventID: 13
        TargetObject: 
            - '*\Keyboard Layout\Preload\*'
            - '*\Keyboard Layout\Substitutes\*'
        Details: 
            - 00000429  # Persian (Iran)
            - 00050429  # Persian (Iran)
            - 0000042a  # Vietnamese
    condition: selection_registry
falsepositives:
    - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"
level: medium
rule: suspicious keyboard layout load 2019-10-14 14:25:27 +00:00			`title: Suspicious Keyboard Layout Load`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 34aa0252-6039-40ff-951f-939fd6ce47d8`
			`description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems`
			`maintained by US staff only`
rule: suspicious keyboard layout load 2019-10-14 14:25:27 +00:00			`references:`
			`- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index`
rule: keyboad layout preloads extended with ' 2019-10-15 13:11:00 +00:00			`- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files`
rule: suspicious keyboard layout load 2019-10-14 14:25:27 +00:00			`author: Florian Roth`
			`date: 2019/10/12`
rule: keyboad layout preloads extended with ' 2019-10-15 13:11:00 +00:00			`modified: 2019/10/15`
rule: suspicious keyboard layout load 2019-10-14 14:25:27 +00:00			`logsource:`
			`product: windows`
			`service: sysmon`
			`definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'`
			`detection:`
			`selection_registry:`
			`EventID: 13`
rule: keyboad layout preloads extended with ' 2019-10-15 13:11:00 +00:00			`TargetObject:`
			`- '\Keyboard Layout\Preload\'`
			`- '\Keyboard Layout\Substitutes\'`
rule: suspicious keyboard layout load 2019-10-14 14:25:27 +00:00			`Details:`
			`- 00000429 # Persian (Iran)`
			`- 00050429 # Persian (Iran)`
			`- 0000042a # Vietnamese`
			`condition: selection_registry`
			`falsepositives:`
			`- "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"`
			`level: medium`