Technique on mitre.org

T1614.001: System Language Discovery

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.

There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions.

For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.

On a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

postgresql_database: PT-CR-1829: PostgreSQL_Structure_Discovery: Execution of certain SQL commands may indicate reconnaissance of the internal structure of the PostgreSQL database, which may indicate attacker activity

Detection

ID	DS0009	Data source and component	Process: Process Creation	Description	Monitor for newly executed processes that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

ID	DS0009	Data source and component	Process: OS API Execution	Description	Monitor for API calls that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

ID	DS0024	Data source and component	Windows Registry: Windows Registry Key Access	Description	Monitor for access to windows registry keys that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor executed commands and arguments that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.

ID	Data source and component	Description
DS0009	Process: Process Creation	Monitor for newly executed processes that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.
DS0009	Process: OS API Execution	Monitor for API calls that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.
DS0024	Windows Registry: Windows Registry Key Access	Monitor for access to windows registry keys that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.
DS0017	Command: Command Execution	Monitor executed commands and arguments that may attempt to gather information about the system language of a victim in order to infer the geographical location of that host.