get keyboard layout

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: get keyboard layout
    namespace: host-interaction/hardware/keyboard
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Discovery::System Location Discovery::System Language Discovery [T1614.001]
    examples:
      - 6F99A2C8944CB02FF28C6F9CED59B161:0x4193C0
      - C91887D861D9BD4A5872249B641BC9F9:0x4015FD
  features:
    - and:
      - or:
        - api: user32.GetKeyboardLayoutList
        - api: user32.GetKeyboardLayout
        - api: user32.GetKeyboardLayoutName
      - optional:
        - api: kernel32.GetLocaleInfo

last edited: 2023-11-24 10:34:28