Forked from Neo23x0/sysmon_suspicious_keyboard_layout_load.yml
Created
October 17, 2019 13:12
-
-
Save mmillerxyz/bf7a1653d2ce2a3d55b7e457b0c7af52 to your computer and use it in GitHub Desktop.
Sigma Rule to Detect Uncommon Keyboard Layout Loads in Your Organisation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| title: Suspicious Keyboard Layout Load | |
| description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only | |
| references: | |
| - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index | |
| author: Florian Roth | |
| date: 2019/10/12 | |
| logsource: | |
| product: windows | |
| service: sysmon | |
| definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' | |
| detection: | |
| selection_registry: | |
| EventID: 13 | |
| TargetObject: '*\Keyboard Layout\Preload\*' | |
| Details: | |
| - 00000804 # Chinese | |
| - 00000c04 # Chinese | |
| - 00000404 # Chinese | |
| - 00001004 # Chinese | |
| - 00001404 # Chinese | |
| - 00000429 # Persian (Iran) | |
| - 00050429 # Persian (Iran) | |
| - 0000042a # Vietnamese | |
| - 00000401 # Arabic | |
| - 00010401 # Arabic | |
| - 00020401 # Arabic | |
| condition: selection_registry | |
| falsepositives: | |
| - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)" | |
| level: medium |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment