Suspicious Path In Keyboard Layout IME File Registry Value (9d8f9bb8-01af-4e15-a3a2-349071530530)
Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message. Before doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named "Ime File" with a DLL path. IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) | Attack Pattern | Suspicious Path In Keyboard Layout IME File Registry Value (9d8f9bb8-01af-4e15-a3a2-349071530530) | Sigma-Rules | 1 |