title: Suspicious Keyboard Layout Load
author: Florian Roth
date: 2019/10/12
description: Detects the keyboard preload installation with a suspicious keyboard
    layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems
    maintained by US staff only
detection:
    SELECTION_1:
        EventID: 12
    SELECTION_2:
        EventID: 13
    SELECTION_3:
        EventID: 14
    SELECTION_4:
        TargetObject: '*\Keyboard Layout\Preload\\*'
    SELECTION_5:
        TargetObject: '*\Keyboard Layout\Substitutes\\*'
    SELECTION_6:
        Details: '*00000429*'
    SELECTION_7:
        Details: '*00050429*'
    SELECTION_8:
        Details: '*0000042a*'
    condition: ((SELECTION_1 or SELECTION_2 or SELECTION_3) and (SELECTION_4 or SELECTION_5)
        and (SELECTION_6 or SELECTION_7 or SELECTION_8))
falsepositives:
- Administrators or users that actually use the selected keyboard layouts (heavily
    depends on the organisation's user base)
id: 34aa0252-6039-40ff-951f-939fd6ce47d8
level: medium
logsource:
    category: registry_event
    definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload
        subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
    product: windows
modified: 2019/10/15
references:
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
- https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files
tags:
- attack.resource_development
- attack.t1588.002
yml_filename: sysmon_suspicious_keyboard_layout_load.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/registry_event