T1614 System Location Discovery Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let GeoIPDomains = dynamic(["ipinfo.io", "ip-api.com", "ipgeolocation.io", "freegeoip.app", "ipstack.com", "geoplugin.net", "geoip.ubuntu.com", "api.ipify.org", "ifconfig.me", "checkip.amazonaws.com", "myexternalip.com", "ipapi.co"]);
let SuspiciousParents = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe"]);
// Vector 1: Process-based locale/timezone discovery
let LocaleProcessEvents =
    DeviceProcessEvents
    | where TimeGenerated > ago(1h)
    | where (
        // PowerShell locale cmdlets
        (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe")
        and ProcessCommandLine has_any ("Get-WinSystemLocale", "Get-Culture", "Get-UICulture", "Get-TimeZone", "CultureInfo", "CurrentCulture", "CurrentUICulture", "[System.Globalization", "GetLocaleInfo", "GetSystemDefaultLCID", "GetSystemDefaultUILanguage")
    )
    or (
        // Registry queries for NLS/locale/timezone
        FileName =~ "reg.exe"
        and ProcessCommandLine has_any ("Nls\\", "TimeZoneInformation", "Keyboard Layout", "International", "MUI", "Language")
        and ProcessCommandLine has "query"
    )
    or (
        // tzutil timezone query
        FileName =~ "tzutil.exe"
        and ProcessCommandLine has "/g"
    )
    or (
        // WMIC locale queries
        FileName =~ "wmic.exe"
        and ProcessCommandLine has_any ("timezone", "locale", "os get locale", "win32_operatingsystem")
    )
    | where InitiatingProcessFileName has_any (SuspiciousParents)
       or InitiatingProcessParentFileName has_any (SuspiciousParents)
    | extend DetectionVector = "ProcessLocaleDiscovery"
    | extend RiskScore = case(
        InitiatingProcessParentFileName has_any (SuspiciousParents), 75,
        InitiatingProcessFileName has_any (SuspiciousParents), 60,
        50
    )
    | project TimeGenerated, DeviceId, DeviceName, AccountName, AccountDomain,
              FileName, ProcessCommandLine, FolderPath,
              InitiatingProcessFileName, InitiatingProcessCommandLine,
              InitiatingProcessParentFileName, DetectionVector, RiskScore;
// Vector 2: Network-based IP geolocation lookups
let GeoIPNetworkEvents =
    DeviceNetworkEvents
    | where TimeGenerated > ago(1h)
    | where RemoteUrl has_any (GeoIPDomains)
       or (RemoteIP == "169.254.169.254" and RemotePort in (80, 443)  // Cloud IMDS
           and InitiatingProcessFileName !in~ ("AzureGuestAgent.exe", "aws-cfn-bootstrap", "google_guest_agent", "waagent", "WindowsAzureGuestAgent.exe"))
    | extend DetectionVector = case(
        RemoteIP == "169.254.169.254", "CloudIMDSQuery",
        "GeoIPLookup"
    )
    | extend RiskScore = case(
        RemoteIP == "169.254.169.254"
        and InitiatingProcessFileName !in~ ("AzureGuestAgent.exe", "waagent", "google_guest_agent"), 80,
        RemoteUrl has_any ("ipinfo.io", "ip-api.com", "ipgeolocation.io"), 70,
        55
    )
    | project TimeGenerated, DeviceId, DeviceName,
              InitiatingProcessAccountName, InitiatingProcessFileName,
              InitiatingProcessCommandLine, InitiatingProcessParentFileName,
              RemoteUrl, RemoteIP, RemotePort, Protocol, DetectionVector, RiskScore;
// Combine and surface high-risk events
union LocaleProcessEvents, GeoIPNetworkEvents
| where RiskScore >= 55
| sort by RiskScore desc, TimeGenerated desc

medium severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

IT administration scripts using Get-TimeZone or tzutil.exe for asset inventory or time synchronization audits run by sysadmin accounts
Legitimate cloud management agents (AzureGuestAgent.exe, waagent, google_guest_agent) querying IMDS at 169.254.169.254 for instance identity and configuration metadata
Security monitoring tools and EDR agents that enumerate system locale to normalize event timestamps or support multi-region SIEM deployments
Software installers and update managers checking system locale to select appropriate language packs or regional configurations
Penetration testing frameworks executing discovery modules (Metasploit post-exploitation, CobaltStrike Beacon commands) during authorized red team engagements

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security" OR sourcetype="syslog" OR sourcetype="linux_secure")
| where EventCode IN (1, 3, 4688)
| eval is_locale_process=case(
    EventCode IN (1, 4688)
      AND match(lower(coalesce(CommandLine, ProcessCmdLine, "")),
                "get-winsystemlocale|get-culture|get-uiculture|get-timezone|getlocaleinfo|getsystemdefaultlcid|getsystemdefaultuilanguage|currentculture|\\[system\.globalization"),
    1,
    EventCode IN (1, 4688)
      AND match(lower(coalesce(CommandLine, ProcessCmdLine, "")), "nls\\\\|timezoneinformation|keyboard layout|\\\\international")
      AND match(lower(coalesce(CommandLine, ProcessCmdLine, "")), "reg.exe|query"),
    1,
    EventCode IN (1, 4688)
      AND match(lower(coalesce(Image, ProcessName, "")), "tzutil\.exe")
      AND match(lower(coalesce(CommandLine, ProcessCmdLine, "")), "/g"),
    1,
    EventCode IN (1, 4688)
      AND match(lower(coalesce(Image, ProcessName, "")), "wmic\.exe")
      AND match(lower(coalesce(CommandLine, ProcessCmdLine, "")), "timezone|locale|win32_operatingsystem"),
    1,
    true(), 0
  )
| eval is_geoip_network=case(
    EventCode=3
      AND match(lower(coalesce(DestinationHostname, "")),
                "ipinfo\.io|ip-api\.com|ipgeolocation\.io|freegeoip\.app|ipstack\.com|geoplugin\.net|geoip\.ubuntu\.com|ipapi\.co|ifconfig\.me|checkip\.amazonaws\.com|myexternalip\.com"),
    1,
    EventCode=3
      AND DestinationIp="169.254.169.254"
      AND NOT match(lower(coalesce(Image, "")), "azureguestagent\.exe|waagent|google_guest_agent|windowsazureguestagent\.exe"),
    1,
    true(), 0
  )
| where is_locale_process=1 OR is_geoip_network=1
| eval detection_vector=case(
    is_geoip_network=1 AND DestinationIp="169.254.169.254", "CloudIMDSQuery",
    is_geoip_network=1, "GeoIPNetworkLookup",
    is_locale_process=1, "ProcessLocaleDiscovery",
    true(), "Unknown"
  )
| eval risk_score=case(
    detection_vector="CloudIMDSQuery", 80,
    detection_vector="GeoIPNetworkLookup"
      AND match(lower(coalesce(DestinationHostname, "")), "ipinfo\.io|ip-api\.com"), 70,
    detection_vector="GeoIPNetworkLookup", 60,
    detection_vector="ProcessLocaleDiscovery"
      AND match(lower(coalesce(ParentImage, ParentProcessName, "")),
                "powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe"), 65,
    detection_vector="ProcessLocaleDiscovery", 50,
    true(), 40
  )
| where risk_score >= 50
| table _time, host, User, Image, CommandLine, ParentImage, DestinationHostname, DestinationIp, detection_vector, risk_score
| sort -risk_score, -_time

medium severity medium confidence

Data Sources

Sysmon Windows Security Event Logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Scheduled IT inventory scripts invoking tzutil.exe or Get-TimeZone to audit time zone configuration across the fleet
Cloud VM management agents (AzureGuestAgent, Google Guest Agent, EC2 instance agent) legitimately querying 169.254.169.254 for instance metadata
Security orchestration tools (SIEMs, SOAR platforms) enumerating locale settings on managed hosts for alert normalization
Software deployment systems checking language settings before installing regional software packages
Developer toolchains and CI/CD pipelines querying locale to set build environment variables

Elastic Security (EQL)

eql

process where process.name in ("ipconfig.exe", "systeminfo.exe", "whoami.exe", "locale", "localectl", "tzdata", "timedatectl") and (process.parent.name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or process.args : ("/all", "locale", "timezone")) and not user.name in ("NT AUTHORITY\SYSTEM", "LOCAL SERVICE")

medium severity medium confidence

Data Sources

Elastic Endpoint Security

Required Tables

logs-endpoint.events.process-*

False Positives

IT administration scripts using Get-TimeZone or tzutil.exe for asset inventory or time synchronization audits run by sysadmin accounts
Legitimate cloud management agents (AzureGuestAgent.exe, waagent, google_guest_agent) querying IMDS at 169.254.169.254 for instance identity and configuration metadata
Security monitoring tools and EDR agents that enumerate system locale to normalize event timestamps or support multi-region SIEM deployments
Software installers and update managers checking system locale to select appropriate language packs or regional configurations
Penetration testing frameworks executing discovery modules (Metasploit post-exploitation, CobaltStrike Beacon commands) during authorized red team engagements

IBM QRadar (AQL)

sql

SELECT username as "Username", "UTF8(payload)" as "CommandLine", sourceip as "SourceIP", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%systeminfo%' AND "CommandLine" ILIKE '%locale%' THEN 70 WHEN "CommandLine" ILIKE '%ipconfig%' AND "CommandLine" ILIKE '%/all%' THEN 60 WHEN "CommandLine" ILIKE '%timedatectl%' OR "CommandLine" ILIKE '%localectl%' THEN 55 ELSE 40 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%systeminfo%' OR "CommandLine" ILIKE '%ipconfig%' OR "CommandLine" ILIKE '%locale%' OR "CommandLine" ILIKE '%timedatectl%' OR "CommandLine" ILIKE '%localectl%') ORDER BY "RiskScore" DESC LAST 24 HOURS

medium severity medium confidence

Data Sources

Windows Security Event Log Linux OS

Required Tables

events

False Positives

IT administration scripts using Get-TimeZone or tzutil.exe for asset inventory or time synchronization audits run by sysadmin accounts
Legitimate cloud management agents (AzureGuestAgent.exe, waagent, google_guest_agent) querying IMDS at 169.254.169.254 for instance identity and configuration metadata
Security monitoring tools and EDR agents that enumerate system locale to normalize event timestamps or support multi-region SIEM deployments
Software installers and update managers checking system locale to select appropriate language packs or regional configurations
Penetration testing frameworks executing discovery modules (Metasploit post-exploitation, CobaltStrike Beacon commands) during authorized red team engagements

Sumo Logic CSE

sql

_sourceCategory=endpoint/windows OR _sourceCategory=endpoint/linux | json auto | where process_name in ("ipconfig.exe", "systeminfo.exe", "locale", "localectl", "timedatectl") | if(matches(parent_process, "*powershell*") or matches(parent_process, "*cmd*"), "Medium", "Low") as RiskLevel | stats count by user_name, process_name, host_name, RiskLevel | sort by count desc

medium severity medium confidence

Data Sources

Windows Endpoint Events Linux Endpoint Events

Required Tables

endpoint/windows endpoint/linux

False Positives

IT administration scripts using Get-TimeZone or tzutil.exe for asset inventory or time synchronization audits run by sysadmin accounts
Legitimate cloud management agents (AzureGuestAgent.exe, waagent, google_guest_agent) querying IMDS at 169.254.169.254 for instance identity and configuration metadata
Security monitoring tools and EDR agents that enumerate system locale to normalize event timestamps or support multi-region SIEM deployments
Software installers and update managers checking system locale to select appropriate language packs or regional configurations
Penetration testing frameworks executing discovery modules (Metasploit post-exploitation, CobaltStrike Beacon commands) during authorized red team engagements

Google Chronicle / SecOps

yaral

rule detect_system_location_discovery {
  meta:
    author = "Argus"
    description = "Detects system location and language discovery used for geofencing"
    severity = "MEDIUM"
    technique = "T1614"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `ipconfig\.exe|systeminfo\.exe|locale|localectl|timedatectl`) nocase or
      re.regex($e.target.process.command_line, `Get-WinSystemLocale|Get-Culture|nlsinfo`) nocase
    )
    not $e.principal.user.windows_sid = "S-1-5-18"
  condition:
    $e
}

medium severity medium confidence

Data Sources

Endpoint Telemetry

Required Tables

PROCESS_LAUNCH

False Positives

IT administration scripts using Get-TimeZone or tzutil.exe for asset inventory or time synchronization audits run by sysadmin accounts
Legitimate cloud management agents (AzureGuestAgent.exe, waagent, google_guest_agent) querying IMDS at 169.254.169.254 for instance identity and configuration metadata
Security monitoring tools and EDR agents that enumerate system locale to normalize event timestamps or support multi-region SIEM deployments
Software installers and update managers checking system locale to select appropriate language packs or regional configurations
Penetration testing frameworks executing discovery modules (Metasploit post-exploitation, CobaltStrike Beacon commands) during authorized red team engagements

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /ipconfig\.exe|systeminfo\.exe|locale|localectl|timedatectl/i OR CommandHistory = /Get-WinSystemLocale|Get-Culture|nlsinfo|tzutil/i
| case {
    CommandHistory = /Get-WinSystemLocale|nlsinfo/i | DiscoveryType := "Language Discovery";
    CommandHistory = /tzutil|timedatectl/i | DiscoveryType := "Timezone Discovery";
    ImageFileName = /ipconfig/i AND CommandHistory = /\/all/i | DiscoveryType := "Network Info Discovery";
    * | DiscoveryType := "System Discovery"
  }
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, DiscoveryType])

medium severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor)

Required Tables

ProcessRollup2

False Positives

IT administration scripts using Get-TimeZone or tzutil.exe for asset inventory or time synchronization audits run by sysadmin accounts
Legitimate cloud management agents (AzureGuestAgent.exe, waagent, google_guest_agent) querying IMDS at 169.254.169.254 for instance identity and configuration metadata
Security monitoring tools and EDR agents that enumerate system locale to normalize event timestamps or support multi-region SIEM deployments
Software installers and update managers checking system locale to select appropriate language packs or regional configurations
Penetration testing frameworks executing discovery modules (Metasploit post-exploitation, CobaltStrike Beacon commands) during authorized red team engagements

System Location Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (1)

Same Tactic: Discovery

Popular Detections