T1614.001 Microsoft Sentinel · KQL

Detect System Language Discovery in Microsoft Sentinel

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information is commonly used by ransomware families and targeted malware to implement geofencing logic — avoiding infection of systems in CIS or Eastern European countries to reduce law enforcement scrutiny. Real-world examples include Ryuk querying HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language for values 0x419 (Russian), 0x422 (Ukrainian), or 0x423 (Belarusian) before aborting; DarkSide, Maze, Avaddon, and Cuba using GetKeyboardLayoutList or GetUserDefaultUILanguage API calls; IcedID executing cmd.exe /c chcp >&2 to retrieve the active code page; and Cuckoo Stealer checking the $LANG environment variable on macOS. Detection pivots to process creation events capturing these discovery commands, registry queries to NLS language keys, and scripting-layer invocations of locale APIs.

MITRE ATT&CK

Tactic
Discovery
Technique
T1614 System Location Discovery
Sub-technique
T1614.001 System Language Discovery
Canonical reference
https://attack.mitre.org/techniques/T1614/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1614.001 — System Language Discovery
// Detects language geofencing checks used by ransomware and targeted malware
// Covers: chcp, reg.exe NLS queries, PowerShell locale APIs, wmic locale, locale command
let SuspiciousParents = dynamic([
    "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe",
    "regsvr32.exe", "msbuild.exe", "installutil.exe", "excel.exe",
    "winword.exe", "powerpnt.exe", "outlook.exe"
]);
// Pattern 1: chcp execution from suspicious script-interpreter or Office parent
// Matches IcedID: cmd.exe /c chcp >&2
let ChcpSuspicious = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "chcp.com") or
        (FileName =~ "cmd.exe" and ProcessCommandLine has "chcp" and ProcessCommandLine has ">&")
| where InitiatingProcessFileName has_any (SuspiciousParents)
       or (ProcessCommandLine has "chcp" and ProcessCommandLine has ">&2")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, InitiatingProcessId
| extend DetectionType = "ChcpCodePageCheck";
// Pattern 2: reg.exe querying NLS Language registry keys
// Matches Ryuk: HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language
let RegNlsQuery = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "reg.exe"
| where ProcessCommandLine has_any (["Nls\\Language", "Nls\\Locale", "Nls\\CodePage",
                                      "InstallLanguage", "CurrentControlSet\\Control\\Nls"])
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, InitiatingProcessId
| extend DetectionType = "RegistryNlsQuery";
// Pattern 3: PowerShell invoking language/locale discovery APIs or registry paths
// Matches: DarkSide, Maze, Cuba PowerShell dropper stages
let PsLangApi = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ([
    "GetUserDefaultUILanguage",
    "GetSystemDefaultUILanguage",
    "GetKeyboardLayoutList",
    "GetUserDefaultLangID",
    "InstalledUICulture",
    "CurrentUICulture",
    "Get-WinSystemLocale",
    "Get-Culture",
    "Nls\\Language",
    "OSLanguage",
    "[System.Globalization.CultureInfo]",
    "Win32_OperatingSystem"
  ])
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, InitiatingProcessId
| extend DetectionType = "PowerShellLangAPI";
// Pattern 4: WMIC querying OS locale or language properties
let WmicLang = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "wmic.exe"
| where ProcessCommandLine has "os" and
        ProcessCommandLine has_any (["Locale", "OSLanguage", "CodeSet", "CountryCode"])
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, InitiatingProcessId
| extend DetectionType = "WmicLocaleQuery";
// Pattern 5: locale command on Linux endpoints (MDE for Linux / Defender for Endpoint)
let LocaleCmd = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "locale" and FolderPath has_any ("/usr/bin", "/bin")
| where InitiatingProcessFileName in~ ("bash", "sh", "zsh", "python3", "python", "perl", "ruby")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, InitiatingProcessId
| extend DetectionType = "LinuxLocaleCommand";
union ChcpSuspicious, RegNlsQuery, PsLangApi, WmicLang, LocaleCmd
| sort by Timestamp desc
medium severity medium confidence

Detects system language discovery techniques used by ransomware and targeted malware for geofencing. Covers five detection patterns using DeviceProcessEvents: (1) chcp execution from suspicious script-interpreter or Office parents, including the exact IcedID pattern (cmd /c chcp >&2); (2) reg.exe queries to HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language matching Ryuk and DarkSide behavior; (3) PowerShell invocation of language discovery APIs such as GetUserDefaultUILanguage, GetKeyboardLayoutList, and Get-WinSystemLocale; (4) WMIC queries for OS locale and language properties; (5) locale binary invocation on Linux endpoints from scripting interpreter parents.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Software installers legitimately checking system locale to present appropriate language packs or regional configuration options during setup
  • Internationalization (i18n) testing tools and localization verification scripts querying language settings as part of their normal function
  • IT diagnostics, asset management, and helpdesk scripts enumerating locale for inventory or troubleshooting regional configuration issues
  • chcp used in legitimate batch automation scripts for console encoding management, such as setting UTF-8 (codepage 65001) for correct output display
  • Monitoring and observability agents collecting system locale data as part of hardware/software inventory for CMDB or ITSM platforms
Download portable Sigma rule (.yml)

Other platforms for T1614.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1IcedID chcp Output Redirect Pattern

    Expected signal: Sysmon Event ID 1: Process Create — Image ends in cmd.exe, CommandLine contains 'chcp' and '>&'. Security Event ID 4688 (if command-line auditing enabled). The chcp output (e.g., 'Active code page: 437' for US English) is redirected to stderr.

  2. Test 2Ryuk Registry Language Check

    Expected signal: Sysmon Event ID 1: Process Create — Image ends in reg.exe, CommandLine contains 'query', 'Nls', and 'InstallLanguage'. Security Event ID 4688 with same CommandLine if auditing is enabled. Output will display the DWORD value representing the installed language (e.g., 0x409 for English US).

  3. Test 3PowerShell System Language API Discovery

    Expected signal: Sysmon Event ID 1: Process Create — Image ends in powershell.exe, CommandLine contains '[System.Globalization.CultureInfo]', 'InstalledUICulture', 'Get-WinSystemLocale', and 'InstallLanguage'. PowerShell ScriptBlock Log Event ID 4104 with full script content. Output includes locale names (e.g., 'en-US') and the hex language ID.

  4. Test 4WMIC OS Language and Locale Query

    Expected signal: Sysmon Event ID 1: Process Create — Image ends in wmic.exe, CommandLine contains 'os', 'Locale', 'OSLanguage', 'CodeSet', and 'CountryCode'. Output includes the locale code (e.g., 0409 for US English), OS language code (e.g., 1033), code set (e.g., 1252), and country code (e.g., 1 for United States).

  5. Test 5Linux/macOS Locale Environment Discovery

    Expected signal: On systems with MDE for Linux or Sysmon for Linux: process creation event for 'locale' binary with initiating process being bash/sh. On macOS: equivalent process creation events. Output includes LANG value (e.g., 'en_US.UTF-8'), LC_ALL, and locale configuration file contents. Python locale check output includes ('en_US', 'UTF-8') tuple.

Last updated: 2026-03-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1614.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1614System Location Discovery

Related Techniques

T1614System Location DiscoveryT1082System Information DiscoveryT1012Query RegistryT1106Native APIT1033System Owner/User DiscoveryT1490Inhibit System RecoveryT1486Data Encrypted for ImpactT1059.003Windows Command ShellT1059.001PowerShellT1497.001System Checks

Same Tactic: Discovery

Popular Detections