Sigma Rule to Detect Uncommon Keyboard Layout Loads in Your Organisation

sysmon_suspicious_keyboard_layout_load.yml

title: Suspicious Keyboard Layout Load
description: Detects the keyboard preload installation with a suspicious keyboard layout, e.g. Chinese, Iranian or Vietnamese layout load in user session on systems maintained by US staff only
references:
    - https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index
author: Florian Roth
date: 2019/10/12
logsource:
    product: windows
    service: sysmon
    definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files'
detection:
    selection_reg_key_01: 
        TargetObject: '*\Keyboard Layout\Substitutes\*'
    selection_reg_key_02: 
        TargetObject: '*\Keyboard Layout\Preload\*'
    selection_registry:
        EventID: 13
        Details: 
            - 00000804  # Chinese
            - 00000c04  # Chinese
            - 00000404  # Chinese
            - 00001004  # Chinese
            - 00001404  # Chinese
            - 00000429  # Persian (Iran)
            - 00050429  # Persian (Iran)
            - 0000042a  # Vietnamese
            - 00000401  # Arabic
            - 00010401  # Arabic 
            - 00020401  # Arabic 
    condition: selection_registry AND (selection_reg_key_01 OR selection_reg_key_02) 
falsepositives:
    - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"
level: medium

Fixed TargetObject from '\Keyboard Layout\Preload*' to '\Keyboard Layout\Substitutes*'

Wrapped both values in an "OR" condition since Windows might show different behaviours according to different versions (suggestion from James Pemberton)