T1614

System Location Discovery

Discovery Last updated:

This detection identifies adversaries enumerating system locale, time zone, keyboard layout, language settings, and geographic location data to determine whether a target host falls within a desired operational geography. Attackers use this technique to implement geo-fencing logic — avoiding infection of hosts in certain regions, targeting specific populations, or evading sandbox environments. Detection covers three vectors: (1) process-based locale enumeration via PowerShell cmdlets, registry queries against NLS/TimeZoneInformation keys, and WinAPI locale functions called by suspicious parent processes; (2) outbound network connections to IP geolocation lookup services such as ipinfo.io and ip-api.com; and (3) cloud instance metadata service (IMDS) queries to 169.254.169.254 from non-cloud-management processes. Correlated alerts from multiple sub-techniques or combined with process injection and C2 beacon indicators significantly increase confidence.

What is T1614 System Location Discovery?

System Location Discovery (T1614) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for System Location Discovery, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel. The queries below are rated medium severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Discovery
Technique
T1614 System Location Discovery
Canonical reference
https://attack.mitre.org/techniques/T1614/
Microsoft Sentinel / Defender
kusto 
let GeoIPDomains = dynamic(["ipinfo.io", "ip-api.com", "ipgeolocation.io", "freegeoip.app", "ipstack.com", "geoplugin.net", "geoip.ubuntu.com", "api.ipify.org", "ifconfig.me", "checkip.amazonaws.com", "myexternalip.com", "ipapi.co"]);
let SuspiciousParents = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe"]);
// Vector 1: Process-based locale/timezone discovery
let LocaleProcessEvents =
    DeviceProcessEvents
    | where TimeGenerated > ago(1h)
    | where (
        // PowerShell locale cmdlets
        (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe")
        and ProcessCommandLine has_any ("Get-WinSystemLocale", "Get-Culture", "Get-UICulture", "Get-TimeZone", "CultureInfo", "CurrentCulture", "CurrentUICulture", "[System.Globalization", "GetLocaleInfo", "GetSystemDefaultLCID", "GetSystemDefaultUILanguage")
    )
    or (
        // Registry queries for NLS/locale/timezone
        FileName =~ "reg.exe"
        and ProcessCommandLine has_any ("Nls\\", "TimeZoneInformation", "Keyboard Layout", "International", "MUI", "Language")
        and ProcessCommandLine has "query"
    )
    or (
        // tzutil timezone query
        FileName =~ "tzutil.exe"
        and ProcessCommandLine has "/g"
    )
    or (
        // WMIC locale queries
        FileName =~ "wmic.exe"
        and ProcessCommandLine has_any ("timezone", "locale", "os get locale", "win32_operatingsystem")
    )
    | where InitiatingProcessFileName has_any (SuspiciousParents)
       or InitiatingProcessParentFileName has_any (SuspiciousParents)
    | extend DetectionVector = "ProcessLocaleDiscovery"
    | extend RiskScore = case(
        InitiatingProcessParentFileName has_any (SuspiciousParents), 75,
        InitiatingProcessFileName has_any (SuspiciousParents), 60,
        50
    )
    | project TimeGenerated, DeviceId, DeviceName, AccountName, AccountDomain,
              FileName, ProcessCommandLine, FolderPath,
              InitiatingProcessFileName, InitiatingProcessCommandLine,
              InitiatingProcessParentFileName, DetectionVector, RiskScore;
// Vector 2: Network-based IP geolocation lookups
let GeoIPNetworkEvents =
    DeviceNetworkEvents
    | where TimeGenerated > ago(1h)
    | where RemoteUrl has_any (GeoIPDomains)
       or (RemoteIP == "169.254.169.254" and RemotePort in (80, 443)  // Cloud IMDS
           and InitiatingProcessFileName !in~ ("AzureGuestAgent.exe", "aws-cfn-bootstrap", "google_guest_agent", "waagent", "WindowsAzureGuestAgent.exe"))
    | extend DetectionVector = case(
        RemoteIP == "169.254.169.254", "CloudIMDSQuery",
        "GeoIPLookup"
    )
    | extend RiskScore = case(
        RemoteIP == "169.254.169.254"
        and InitiatingProcessFileName !in~ ("AzureGuestAgent.exe", "waagent", "google_guest_agent"), 80,
        RemoteUrl has_any ("ipinfo.io", "ip-api.com", "ipgeolocation.io"), 70,
        55
    )
    | project TimeGenerated, DeviceId, DeviceName,
              InitiatingProcessAccountName, InitiatingProcessFileName,
              InitiatingProcessCommandLine, InitiatingProcessParentFileName,
              RemoteUrl, RemoteIP, RemotePort, Protocol, DetectionVector, RiskScore;
// Combine and surface high-risk events
union LocaleProcessEvents, GeoIPNetworkEvents
| where RiskScore >= 55
| sort by RiskScore desc, TimeGenerated desc

Detects two primary attack vectors for System Location Discovery: (1) suspicious process chains invoking locale/timezone enumeration via PowerShell cmdlets (Get-WinSystemLocale, Get-Culture, Get-TimeZone), registry queries against HKLM\SYSTEM\CurrentControlSet\Control\Nls and TimeZoneInformation, tzutil.exe queries, and WMIC locale lookups — all initiated from high-risk parent processes; (2) outbound network connections to known IP geolocation services (ipinfo.io, ip-api.com, ipgeolocation.io, etc.) and unauthorized queries to the cloud instance metadata service (169.254.169.254) from non-cloud-agent processes. Each event is scored by risk based on process ancestry and destination specificity.

medium severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

  • IT administration scripts using Get-TimeZone or tzutil.exe for asset inventory or time synchronization audits run by sysadmin accounts
  • Legitimate cloud management agents (AzureGuestAgent.exe, waagent, google_guest_agent) querying IMDS at 169.254.169.254 for instance identity and configuration metadata
  • Security monitoring tools and EDR agents that enumerate system locale to normalize event timestamps or support multi-region SIEM deployments
  • Software installers and update managers checking system locale to select appropriate language packs or regional configurations
  • Penetration testing frameworks executing discovery modules (Metasploit post-exploitation, CobaltStrike Beacon commands) during authorized red team engagements

Sigma rule & cross-platform mapping

The detection logic for System Location Discovery (T1614) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1614 Sigma rules on detection.fyi

Platform-specific guides for T1614

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-03-20 Research depth: deep
References (8)

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell System Locale and Timezone Enumeration

    Expected signal: Sysmon EventCode 1 with Image=powershell.exe and CommandLine containing Get-WinSystemLocale, Get-Culture, Get-UICulture, Get-TimeZone. Windows Security EventID 4688 if process creation auditing is enabled.

  2. Test 2Registry Query for NLS Locale and Keyboard Layout

    Expected signal: Sysmon EventCode 1 with Image=reg.exe and CommandLine containing 'Nls', 'Locale', 'TimeZoneInformation', 'Keyboard Layout'. Sysmon EventCode 12/13 (registry query events) if registry monitoring is enabled.

  3. Test 3IP Geolocation Lookup via HTTP API

    Expected signal: Sysmon EventCode 3 with DestinationHostname containing 'ip-api.com' and 'ipinfo.io'. Sysmon EventCode 22 (DNS query) for both domains. Network proxy logs showing HTTP GET requests to those endpoints.

  4. Test 4Linux Locale and Timezone Discovery

    Expected signal: Auditd EXECVE records for locale, localectl, timedatectl commands. Syslog entries for process execution. EDR process creation events showing bash executing these commands.

  5. Test 5Cloud Instance Metadata Service Geographic Discovery

    Expected signal: Sysmon EventCode 3 with DestinationIP=169.254.169.254 and DestinationPort=80, InitiatingProcess=powershell.exe. Network events confirming TCP connection attempt to link-local metadata address.

Unlock Pro Content

Get the full detection package for T1614 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hub

TA0007Discovery

Sub-techniques (1)

Related Techniques

T1033System Owner/User DiscoveryT1016System Network Configuration DiscoveryT1016.001Internet Connection DiscoveryT1497.001System ChecksT1082System Information DiscoveryT1614.001System Language DiscoveryT1069Permission Groups DiscoveryT1613Container and Resource Discovery

Same Tactic: Discovery

Popular Detections