mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
29 lines
1.2 KiB
YAML
Executable File
29 lines
1.2 KiB
YAML
Executable File
title: Suspicious Keyboard Layout Load
|
|
id: 34aa0252-6039-40ff-951f-939fd6ce47d8
|
|
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems
|
|
maintained by US staff only
|
|
references:
|
|
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
|
|
- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
|
|
author: Florian Roth
|
|
date: 2019/10/12
|
|
modified: 2019/10/15
|
|
logsource:
|
|
category: registry_event
|
|
product: windows
|
|
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
|
|
detection:
|
|
selection_registry:
|
|
TargetObject:
|
|
- '*\Keyboard Layout\Preload\*'
|
|
- '*\Keyboard Layout\Substitutes\*'
|
|
Details|contains:
|
|
- 00000429 # Persian (Iran)
|
|
- 00050429 # Persian (Iran)
|
|
- 0000042a # Vietnamese
|
|
condition: selection_registry
|
|
falsepositives:
|
|
- "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"
|
|
level: medium
|
|
|