Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious Keyboard Layout Load

Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Sat Oct 12Updated Thu Aug 1734aa0252-6039-40ff-951f-939fd6ce47d8windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set

Definition

Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files

Detection Logic
Detection Logic1 selector
detection:
    selection_registry:
        TargetObject|contains:
            - '\Keyboard Layout\Preload\'
            - '\Keyboard Layout\Substitutes\'
        Details|contains:
            - 00000429  # Persian (Iran)
            - 00050429  # Persian (Iran)
            - 0000042a  # Vietnamese
    condition: selection_registry
False Positives

Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)

References
1
Resolving title…
renenyffenegger.ch
2
Resolving title…
github.com
MITRE ATT&CK

Sub-techniques

T1588.002 · Tool
Rule Metadata
Rule ID
34aa0252-6039-40ff-951f-939fd6ce47d8
Status
test
Level
medium
Type
Detection
Created
Sat Oct 12
Modified
Thu Aug 17
Author
Florian Roth (Nextron Systems)
Path
rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml
Raw Tags
attack.resource-developmentattack.t1588.002
View on GitHub