LoFP / imes are essential for languages that have more characters than can be represented on a standard keyboard, such as chinese, japanese, and korean.

Techniques

• t1562
• t1562.001

Sample rules

Uncommon Extension In Keyboard Layout IME File Registry Value

• source: sigma
• technicques:
  • t1562
  • t1562.001

Description

Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named “Ime File” with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.

Detection logic

condition: selection and not 1 of filter_main_*
filter_main_known_extension:
  Details|endswith: .ime
selection:
  TargetObject|contains|all:
  - \Control\Keyboard Layouts\
  - Ime File