From 7ee3974428ac4137fa61afcef6bc5d0bfe2e10ad Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Mon, 14 Oct 2019 16:25:27 +0200
Subject: [PATCH] rule: suspicious keyboard layout load

---
 ...sysmon_suspicious_keyboard_layout_load.yml | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml

diff --git a/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml
new file mode 100644
index 000000000..08777dad1
--- /dev/null
+++ b/rules/windows/sysmon/sysmon_suspicious_keyboard_layout_load.yml
@@ -0,0 +1,22 @@
+title: Suspicious Keyboard Layout Load
+description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
+references:
+    - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
+author: Florian Roth
+date: 2019/10/12
+logsource:
+    product: windows
+    service: sysmon
+    definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
+detection:
+    selection_registry:
+        EventID: 13
+        TargetObject: '*\Keyboard Layout\Preload\*'
+        Details: 
+            - 00000429  # Persian (Iran)
+            - 00050429  # Persian (Iran)
+            - 0000042a  # Vietnamese
+    condition: selection_registry
+falsepositives:
+    - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"
+level: medium