T1614.001 System Language Discovery Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1614.001 — System Language Discovery
// Detects language geofencing checks used by ransomware and targeted malware
// Covers: chcp, reg.exe NLS queries, PowerShell locale APIs, wmic locale, locale command
let SuspiciousParents = dynamic([
    "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe",
    "regsvr32.exe", "msbuild.exe", "installutil.exe", "excel.exe",
    "winword.exe", "powerpnt.exe", "outlook.exe"
]);
// Pattern 1: chcp execution from suspicious script-interpreter or Office parent
// Matches IcedID: cmd.exe /c chcp >&2
let ChcpSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "chcp.com") or
        (FileName =~ "cmd.exe" and ProcessCommandLine has "chcp" and ProcessCommandLine has ">&")
| where InitiatingProcessFileName has_any (SuspiciousParents)
       or (ProcessCommandLine has "chcp" and ProcessCommandLine has ">&2")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, InitiatingProcessId
| extend DetectionType = "ChcpCodePageCheck";
// Pattern 2: reg.exe querying NLS Language registry keys
// Matches Ryuk: HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language
let RegNlsQuery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "reg.exe"
| where ProcessCommandLine has_any (["Nls\\Language", "Nls\\Locale", "Nls\\CodePage",
                                      "InstallLanguage", "CurrentControlSet\\Control\\Nls"])
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, InitiatingProcessId
| extend DetectionType = "RegistryNlsQuery";
// Pattern 3: PowerShell invoking language/locale discovery APIs or registry paths
// Matches: DarkSide, Maze, Cuba PowerShell dropper stages
let PsLangApi = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ([
    "GetUserDefaultUILanguage",
    "GetSystemDefaultUILanguage",
    "GetKeyboardLayoutList",
    "GetUserDefaultLangID",
    "InstalledUICulture",
    "CurrentUICulture",
    "Get-WinSystemLocale",
    "Get-Culture",
    "Nls\\Language",
    "OSLanguage",
    "[System.Globalization.CultureInfo]",
    "Win32_OperatingSystem"
  ])
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, InitiatingProcessId
| extend DetectionType = "PowerShellLangAPI";
// Pattern 4: WMIC querying OS locale or language properties
let WmicLang = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has "os" and
        ProcessCommandLine has_any (["Locale", "OSLanguage", "CodeSet", "CountryCode"])
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, InitiatingProcessId
| extend DetectionType = "WmicLocaleQuery";
// Pattern 5: locale command on Linux endpoints (MDE for Linux / Defender for Endpoint)
let LocaleCmd = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "locale" and FolderPath has_any ("/usr/bin", "/bin")
| where InitiatingProcessFileName in~ ("bash", "sh", "zsh", "python3", "python", "perl", "ruby")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, InitiatingProcessId
| extend DetectionType = "LinuxLocaleCommand";
union ChcpSuspicious, RegNlsQuery, PsLangApi, WmicLang, LocaleCmd
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Software installers legitimately checking system locale to present appropriate language packs or regional configuration options during setup
Internationalization (i18n) testing tools and localization verification scripts querying language settings as part of their normal function
IT diagnostics, asset management, and helpdesk scripts enumerating locale for inventory or troubleshooting regional configuration issues
chcp used in legitimate batch automation scripts for console encoding management, such as setting UTF-8 (codepage 65001) for correct output display
Monitoring and observability agents collecting system locale data as part of hardware/software inventory for CMDB or ITSM platforms

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image)
| eval ParentImage=lower(ParentImage)
| eval CommandLine=lower(CommandLine)
| eval ParentCommandLine=lower(ParentCommandLine)
// Pattern 1: chcp from suspicious script-interpreter or Office parent process
| eval ChcpSuspicious=if(
    match(Image, "chcp\.com$")
    AND match(ParentImage, "(wscript|cscript|mshta|rundll32|regsvr32|msbuild|installutil|excel|winword|powerpnt|outlook)\.exe$"),
    1, 0)
// IcedID-specific chcp redirect pattern: cmd.exe /c chcp >&2
| eval ChcpRedirect=if(
    match(Image, "cmd\.exe$")
    AND match(CommandLine, "chcp")
    AND match(CommandLine, ">&"),
    1, 0)
// Pattern 2: reg.exe querying NLS language registry keys (Ryuk / DarkSide)
| eval RegNlsQuery=if(
    match(Image, "reg\.exe$")
    AND match(CommandLine, "(nls|instlanguage|currentcontrolset.control.nls)"),
    1, 0)
// Pattern 3: PowerShell language/locale API invocations
| eval PsLangApi=if(
    match(Image, "(powershell|pwsh)\.exe$")
    AND match(CommandLine, "(getuserdefaultuilanguage|getsystemdefaultuilanguage|getkeyboardlayoutlist|getuserdefaultlangid|installeduiculture|currentuiculture|get-winsystemlocale|get-culture|nls.language|oslanguage|system\.globalization\.cultureinfo|win32_operatingsystem)"),
    1, 0)
// Pattern 4: WMIC OS locale/language query
| eval WmicLang=if(
    match(Image, "wmic\.exe$")
    AND match(CommandLine, "(locale|oslanguage|codeset|countrycode)")
    AND match(CommandLine, "\bos\b"),
    1, 0)
// Pattern 5: Linux locale binary from script interpreter parent
| eval LinuxLocale=if(
    match(Image, "/locale$")
    AND match(ParentImage, "(bash|sh|zsh|python3|python|perl|ruby)$"),
    1, 0)
| eval DetectionScore=ChcpSuspicious + ChcpRedirect + RegNlsQuery + PsLangApi + WmicLang + LinuxLocale
| where DetectionScore > 0
| eval DetectionTypes=mvappend(
    if(ChcpSuspicious=1, "ChcpFromSuspiciousParent", null()),
    if(ChcpRedirect=1, "ChcpIcedIDPattern", null()),
    if(RegNlsQuery=1, "RegistryNlsQuery", null()),
    if(PsLangApi=1, "PowerShellLangAPI", null()),
    if(WmicLang=1, "WmicLocaleQuery", null()),
    if(LinuxLocale=1, "LinuxLocaleCommand", null())
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionTypes, DetectionScore
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software installers checking system locale to display appropriate language packs or regional setup options
Internationalization testing and localization verification tools querying language settings during QA processes
IT diagnostics and asset inventory scripts enumerating locale for helpdesk troubleshooting or CMDB population
Legitimate batch automation scripts using chcp for console encoding management (e.g., codepage 65001 for UTF-8 output)
Monitoring agents collecting system locale data as part of routine hardware and software inventory

Elastic Security (EQL)

eql

process where process.name in ("ipconfig.exe", "systeminfo.exe", "whoami.exe", "locale", "localectl", "tzdata", "timedatectl") and (process.parent.name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or process.args : ("/all", "locale", "timezone")) and not user.name in ("NT AUTHORITY\SYSTEM", "LOCAL SERVICE")

medium severity medium confidence

Data Sources

Elastic Endpoint Security

Required Tables

logs-endpoint.events.process-*

False Positives

Software installers legitimately checking system locale to present appropriate language packs or regional configuration options during setup
Internationalization (i18n) testing tools and localization verification scripts querying language settings as part of their normal function
IT diagnostics, asset management, and helpdesk scripts enumerating locale for inventory or troubleshooting regional configuration issues
chcp used in legitimate batch automation scripts for console encoding management, such as setting UTF-8 (codepage 65001) for correct output display
Monitoring and observability agents collecting system locale data as part of hardware/software inventory for CMDB or ITSM platforms

IBM QRadar (AQL)

sql

SELECT username as "Username", "UTF8(payload)" as "CommandLine", sourceip as "SourceIP", devicetime as "EventTime", CASE WHEN "CommandLine" ILIKE '%systeminfo%' AND "CommandLine" ILIKE '%locale%' THEN 70 WHEN "CommandLine" ILIKE '%ipconfig%' AND "CommandLine" ILIKE '%/all%' THEN 60 WHEN "CommandLine" ILIKE '%timedatectl%' OR "CommandLine" ILIKE '%localectl%' THEN 55 ELSE 40 END as "RiskScore" FROM events WHERE eventid = 4688 AND ("CommandLine" ILIKE '%systeminfo%' OR "CommandLine" ILIKE '%ipconfig%' OR "CommandLine" ILIKE '%locale%' OR "CommandLine" ILIKE '%timedatectl%' OR "CommandLine" ILIKE '%localectl%') ORDER BY "RiskScore" DESC LAST 24 HOURS

medium severity medium confidence

Data Sources

Windows Security Event Log Linux OS

Required Tables

events

False Positives

Software installers legitimately checking system locale to present appropriate language packs or regional configuration options during setup
Internationalization (i18n) testing tools and localization verification scripts querying language settings as part of their normal function
IT diagnostics, asset management, and helpdesk scripts enumerating locale for inventory or troubleshooting regional configuration issues
chcp used in legitimate batch automation scripts for console encoding management, such as setting UTF-8 (codepage 65001) for correct output display
Monitoring and observability agents collecting system locale data as part of hardware/software inventory for CMDB or ITSM platforms

Sumo Logic CSE

sql

_sourceCategory=endpoint/windows OR _sourceCategory=endpoint/linux | json auto | where process_name in ("ipconfig.exe", "systeminfo.exe", "locale", "localectl", "timedatectl") | if(matches(parent_process, "*powershell*") or matches(parent_process, "*cmd*"), "Medium", "Low") as RiskLevel | stats count by user_name, process_name, host_name, RiskLevel | sort by count desc

medium severity medium confidence

Data Sources

Windows Endpoint Events Linux Endpoint Events

Required Tables

endpoint/windows endpoint/linux

False Positives

Software installers legitimately checking system locale to present appropriate language packs or regional configuration options during setup
Internationalization (i18n) testing tools and localization verification scripts querying language settings as part of their normal function
IT diagnostics, asset management, and helpdesk scripts enumerating locale for inventory or troubleshooting regional configuration issues
chcp used in legitimate batch automation scripts for console encoding management, such as setting UTF-8 (codepage 65001) for correct output display
Monitoring and observability agents collecting system locale data as part of hardware/software inventory for CMDB or ITSM platforms

Google Chronicle / SecOps

yaral

rule detect_system_location_discovery {
  meta:
    author = "Argus"
    description = "Detects system location and language discovery used for geofencing"
    severity = "MEDIUM"
    technique = "T1614"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `ipconfig\.exe|systeminfo\.exe|locale|localectl|timedatectl`) nocase or
      re.regex($e.target.process.command_line, `Get-WinSystemLocale|Get-Culture|nlsinfo`) nocase
    )
    not $e.principal.user.windows_sid = "S-1-5-18"
  condition:
    $e
}

medium severity medium confidence

Data Sources

Endpoint Telemetry

Required Tables

PROCESS_LAUNCH

False Positives

Software installers legitimately checking system locale to present appropriate language packs or regional configuration options during setup
Internationalization (i18n) testing tools and localization verification scripts querying language settings as part of their normal function
IT diagnostics, asset management, and helpdesk scripts enumerating locale for inventory or troubleshooting regional configuration issues
chcp used in legitimate batch automation scripts for console encoding management, such as setting UTF-8 (codepage 65001) for correct output display
Monitoring and observability agents collecting system locale data as part of hardware/software inventory for CMDB or ITSM platforms

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /ipconfig\.exe|systeminfo\.exe|locale|localectl|timedatectl/i OR CommandHistory = /Get-WinSystemLocale|Get-Culture|nlsinfo|tzutil/i
| case {
    CommandHistory = /Get-WinSystemLocale|nlsinfo/i | DiscoveryType := "Language Discovery";
    CommandHistory = /tzutil|timedatectl/i | DiscoveryType := "Timezone Discovery";
    ImageFileName = /ipconfig/i AND CommandHistory = /\/all/i | DiscoveryType := "Network Info Discovery";
    * | DiscoveryType := "System Discovery"
  }
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, DiscoveryType])

medium severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor)

Required Tables

ProcessRollup2

False Positives

Software installers legitimately checking system locale to present appropriate language packs or regional configuration options during setup
Internationalization (i18n) testing tools and localization verification scripts querying language settings as part of their normal function
IT diagnostics, asset management, and helpdesk scripts enumerating locale for inventory or troubleshooting regional configuration issues
chcp used in legitimate batch automation scripts for console encoding management, such as setting UTF-8 (codepage 65001) for correct output display
Monitoring and observability agents collecting system locale data as part of hardware/software inventory for CMDB or ITSM platforms

System Language Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Same Tactic: Discovery

Popular Detections