The “keyboy errors” rule detects potential adversary attempts to exploit misconfigured or insecure key management practices by triggering unexpected error responses during cryptographic operations. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential credential exposure or unauthorized access attempts.
YARA Rule
rule keyboy_errors
{
meta:
author = "Matt Brooks, @cmatthewbrooks"
desc = "Matches the sample's shell error2 log statements"
date = "2016-08-28"
md5 = "495adb1b9777002ecfe22aaf52fcee93"
strings:
//These strings are in ASCII pre-2015 and UNICODE in 2016
$error = "Error2" ascii wide
//2016 specific:
$s1 = "Can't find [%s]!Check the file name and try again!" ascii wide
$s2 = "Open [%s] error! %d" ascii wide
$s3 = "The Size of [%s] is zero!" ascii wide
$s4 = "CreateThread DownloadFile[%s] Error!" ascii wide
$s5 = "UploadFile [%s] Error:Connect Server Failed!" ascii wide
$s6 = "Receive [%s] Error(Recved[%d] != Send[%d])!" ascii wide
$s7 = "Receive [%s] ok! Use %2.2f seconds, Average speed %2.2f k/s" ascii wide
$s8 = "CreateThread UploadFile[%s] Error!" ascii wide
//Pre-2016:
$s9 = "Ready Download [%s] ok!" ascii wide
$s10 = "Get ControlInfo from FileClient error!" ascii wide
$s11 = "FileClient has a error!" ascii wide
$s12 = "VirtualAlloc SendBuff Error(%d)" ascii wide
$s13 = "ReadFile [%s] Error(%d)..." ascii wide
$s14 = "ReadFile [%s] Data[Readed(%d) != FileSize(%d)] Error..." ascii wide
$s15 = "CreateThread DownloadFile[%s] Error!" ascii wide
$s16 = "RecvData MyRecv_Info Size Error!" ascii wide
$s17 = "RecvData MyRecv_Info Tag Error!" ascii wide
$s18 = "SendData szControlInfo_1 Error!" ascii wide
$s19 = "SendData szControlInfo_3 Error!" ascii wide
$s20 = "VirtualAlloc RecvBuff Error(%d)" ascii wide
$s21 = "RecvData Error!" ascii wide
$s22 = "WriteFile [%s} Error(%d)..." ascii wide
condition:
//MZ header //PE signature
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 200KB and $error and 3 of ($s*)
}This YARA rule can be deployed in the following contexts:
This rule contains 23 string patterns in its detection logic.
Scenario: System administrators using KeyBoy (a keyboard layout switching tool) during normal operations.
Filter/Exclusion: Check for process name keyboy.exe or use a process whitelisting rule for legitimate use cases.
Scenario: Scheduled backup jobs that temporarily use KeyBoy to switch layouts for specific tasks.
Filter/Exclusion: Exclude processes running under a scheduled task with a known job name or user context (e.g., BackupJob.exe or user backupsvc).
Scenario: Administrative tasks involving keyboard layout changes, such as during multilingual support configuration.
Filter/Exclusion: Filter by user context (e.g., Administrator or Domain Admins) and check for related configuration tools like Microsoft Keyboard Layout Creator.
Scenario: Legacy application compatibility testing where KeyBoy is used to simulate different keyboard layouts.
Filter/Exclusion: Exclude processes running in a test environment or with a specific environment variable like TEST_ENV=1.
Scenario: User-initiated keyboard layout switching during normal work hours.
Filter/Exclusion: Use user behavior analysis to exclude users who frequently switch layouts or use a whitelist of known users who regularly use KeyBoy.