Skip to content

Instantly share code, notes, and snippets.

View darkquasar's full-sized avatar

darkquasar darkquasar

View GitHub Profile
@darkquasar
darkquasar / sysmon_suspicious_keyboard_layout_load.yml
Last active October 16, 2019 04:28 — forked from Neo23x0/sysmon_suspicious_keyboard_layout_load.yml
Sigma Rule to Detect Uncommon Keyboard Layout Loads in Your Organisation
title: Suspicious Keyboard Layout Load
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
references:
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
author: Florian Roth
date: 2019/10/12
logsource:
product: windows
service: sysmon
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
@darkquasar
darkquasar / annotations.xml
Created February 25, 2021 01:57 — forked from Neo23x0/annotations.xml
Sources for APT Groups and Operations Search Engine
<?xml version="1.0" encoding="UTF-8" ?>
<Annotations start="0" num="138" total="138">
<Annotation about="*.401trg.pw/*" timestamp="0x00056c69af232729" href="Cg0qLjQwMXRyZy5wdy8qEKnOjPmajdsC">
<Label name="_cse_turlh5vi4xc" />
<AdditionalData attribute="original_url" value="https://401trg.pw/" />
</Annotation>
<Annotation about="decalage.info/en/security*" timestamp="0x00056c678a15c50b" href="ChpkZWNhbGFnZS5pbmZvL2VuL3NlY3VyaXR5KhCLitfQ-IzbAg">
<Label name="_cse_turlh5vi4xc" />
<AdditionalData attribute="original_url" value="https://decalage.info/en/security" />
</Annotation>