rule: suspicious keyboard layout load
This commit is contained in:
Florian Roth
@@ -0,0 +1,22 @@
|
||||
title: Suspicious Keyboard Layout Load
|
||||
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
|
||||
references:
|
||||
- https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
|
||||
author: Florian Roth
|
||||
date: 2019/10/12
|
||||
logsource:
|
||||
product: windows
|
||||
service: sysmon
|
||||
definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
|
||||
detection:
|
||||
selection_registry:
|
||||
EventID: 13
|
||||
TargetObject: '*\Keyboard Layout\Preload\*'
|
||||
Details:
|
||||
- 00000429 # Persian (Iran)
|
||||
- 00050429 # Persian (Iran)
|
||||
- 0000042a # Vietnamese
|
||||
condition: selection_registry
|
||||
falsepositives:
|
||||
- "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"
|
||||
level: medium
|
||||
Reference in New Issue
Block a user