Detect System Language Discovery in Elastic Security
Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information is commonly used by ransomware families and targeted malware to implement geofencing logic — avoiding infection of systems in CIS or Eastern European countries to reduce law enforcement scrutiny. Real-world examples include Ryuk querying HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language for values 0x419 (Russian), 0x422 (Ukrainian), or 0x423 (Belarusian) before aborting; DarkSide, Maze, Avaddon, and Cuba using GetKeyboardLayoutList or GetUserDefaultUILanguage API calls; IcedID executing cmd.exe /c chcp >&2 to retrieve the active code page; and Cuckoo Stealer checking the $LANG environment variable on macOS. Detection pivots to process creation events capturing these discovery commands, registry queries to NLS language keys, and scripting-layer invocations of locale APIs.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1614 System Location Discovery
- Sub-technique
- T1614.001 System Language Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1614/001/
Elastic Detection Query
process where process.name in ("ipconfig.exe", "systeminfo.exe", "whoami.exe", "locale", "localectl", "tzdata", "timedatectl") and (process.parent.name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or process.args : ("/all", "locale", "timezone")) and not user.name in ("NT AUTHORITY\SYSTEM", "LOCAL SERVICE")Elastic EQL translation of the T1614.001 detection logic. Detects system language discovery techniques used by ransomware and targeted malware for geofencing. Covers five detection patterns using DeviceProces
Data Sources
Required Tables
False Positives & Tuning
- Software installers legitimately checking system locale to present appropriate language packs or regional configuration options during setup
- Internationalization (i18n) testing tools and localization verification scripts querying language settings as part of their normal function
- IT diagnostics, asset management, and helpdesk scripts enumerating locale for inventory or troubleshooting regional configuration issues
- chcp used in legitimate batch automation scripts for console encoding management, such as setting UTF-8 (codepage 65001) for correct output display
- Monitoring and observability agents collecting system locale data as part of hardware/software inventory for CMDB or ITSM platforms
Other platforms for T1614.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1IcedID chcp Output Redirect Pattern
Expected signal: Sysmon Event ID 1: Process Create — Image ends in cmd.exe, CommandLine contains 'chcp' and '>&'. Security Event ID 4688 (if command-line auditing enabled). The chcp output (e.g., 'Active code page: 437' for US English) is redirected to stderr.
- Test 2Ryuk Registry Language Check
Expected signal: Sysmon Event ID 1: Process Create — Image ends in reg.exe, CommandLine contains 'query', 'Nls', and 'InstallLanguage'. Security Event ID 4688 with same CommandLine if auditing is enabled. Output will display the DWORD value representing the installed language (e.g., 0x409 for English US).
- Test 3PowerShell System Language API Discovery
Expected signal: Sysmon Event ID 1: Process Create — Image ends in powershell.exe, CommandLine contains '[System.Globalization.CultureInfo]', 'InstalledUICulture', 'Get-WinSystemLocale', and 'InstallLanguage'. PowerShell ScriptBlock Log Event ID 4104 with full script content. Output includes locale names (e.g., 'en-US') and the hex language ID.
- Test 4WMIC OS Language and Locale Query
Expected signal: Sysmon Event ID 1: Process Create — Image ends in wmic.exe, CommandLine contains 'os', 'Locale', 'OSLanguage', 'CodeSet', and 'CountryCode'. Output includes the locale code (e.g., 0409 for US English), OS language code (e.g., 1033), code set (e.g., 1252), and country code (e.g., 1 for United States).
- Test 5Linux/macOS Locale Environment Discovery
Expected signal: On systems with MDE for Linux or Sysmon for Linux: process creation event for 'locale' binary with initiating process being bash/sh. On macOS: equivalent process creation events. Output includes LANG value (e.g., 'en_US.UTF-8'), LC_ALL, and locale configuration file contents. Python locale check output includes ('en_US', 'UTF-8') tuple.
References (10)
- https://attack.mitre.org/techniques/T1614/001/
- https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware
- https://securelist.com/evolution-of-jsworm-ransomware/102428/
- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
- https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
- https://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-getuserdefaultuilanguage
- https://www.trendmicro.com/en_us/research/20/i/xcsset-mac-malware-infects-xcode-projects-abuses-zero-day-exploits.html
Unlock Pro Content
Get the full detection package for T1614.001 including response playbook, investigation guide, and atomic red team tests.