This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
title: Suspicious Keyboard Layout Load | |
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only | |
references: | |
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index | |
author: Florian Roth | |
date: 2019/10/12 | |
logsource: | |
product: windows | |
service: sysmon | |
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8" ?> | |
<Annotations start="0" num="138" total="138"> | |
<Annotation about="*.401trg.pw/*" timestamp="0x00056c69af232729" href="Cg0qLjQwMXRyZy5wdy8qEKnOjPmajdsC"> | |
<Label name="_cse_turlh5vi4xc" /> | |
<AdditionalData attribute="original_url" value="https://401trg.pw/" /> | |
</Annotation> | |
<Annotation about="decalage.info/en/security*" timestamp="0x00056c678a15c50b" href="ChpkZWNhbGFnZS5pbmZvL2VuL3NlY3VyaXR5KhCLitfQ-IzbAg"> | |
<Label name="_cse_turlh5vi4xc" /> | |
<AdditionalData attribute="original_url" value="https://decalage.info/en/security" /> | |
</Annotation> |