title: Suspicious Keyboard Layout Load
id: 34aa0252-6039-40ff-951f-939fd6ce47d8
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems
    maintained by US staff only
references:
    - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
    - https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
author: Florian Roth
date: 2019/10/12
modified: 2019/10/15
logsource:
    category: registry_event
    product: windows
    definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
detection:
    selection_registry:
        
        TargetObject: 
            - '*\Keyboard Layout\Preload\*'
            - '*\Keyboard Layout\Substitutes\*'
        Details|contains:
            - 00000429  # Persian (Iran)
            - 00050429  # Persian (Iran)
            - 0000042a  # Vietnamese
    condition: selection_registry
falsepositives:
    - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"
level: medium