Last active
September 4, 2020 15:41
-
-
Save Neo23x0/62a75d4bbd26aa9164fa73384f6a1410 to your computer and use it in GitHub Desktop.
Sigma Rule to Detect Uncommon Keyboard Layout Loads in Your Organisation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: Suspicious Keyboard Layout Load | |
| description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only | |
| references: | |
| - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index | |
| author: Florian Roth | |
| date: 2019/10/12 | |
| logsource: | |
| product: windows | |
| service: sysmon | |
| definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' | |
| detection: | |
| selection_registry: | |
| EventID: 13 | |
| TargetObject: '*\Keyboard Layout\Preload\*' | |
| Details: | |
| - 00000804 # Chinese | |
| - 00000c04 # Chinese | |
| - 00000404 # Chinese | |
| - 00001004 # Chinese | |
| - 00001404 # Chinese | |
| - 00000429 # Persian (Iran) | |
| - 00050429 # Persian (Iran) | |
| - 0000042a # Vietnamese | |
| - 00000401 # Arabic | |
| - 00010401 # Arabic | |
| - 00020401 # Arabic | |
| condition: selection_registry | |
| falsepositives: | |
| - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" | |
| level: medium |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment