administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)

t1588
t1588.002
windows
sigma

Techniques

t1588
t1588.002

Sample rules

Suspicious Keyboard Layout Load

source: sigma
technicques:
- t1588
- t1588.002

Description

Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only

Detection logic

condition: selection_registry
selection_registry:
  Details|contains:
  - 00000429
  - 00050429
  - 0000042a
  TargetObject|contains:
  - \Keyboard Layout\Preload\
  - \Keyboard Layout\Substitutes\