T1614: System Location Discovery
Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings. Windows API functions such as GetLocaleInfoW
can also be used to determine the locale of the host. In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.
Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.
Detection
ID | DS0009 | Data source and component | Process: Process Creation | Description | Monitor newly executed processes that may gather information in an attempt to calculate the geographical location of a victim host. |
---|
ID | DS0009 | Data source and component | Process: OS API Execution | Description | Remote access tools with built-in features may interact directly with the Windows API, such as calling |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may gather information in an attempt to calculate the geographical location of a victim host. |
---|