Detect System Language Discovery in Splunk
Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information is commonly used by ransomware families and targeted malware to implement geofencing logic — avoiding infection of systems in CIS or Eastern European countries to reduce law enforcement scrutiny. Real-world examples include Ryuk querying HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language for values 0x419 (Russian), 0x422 (Ukrainian), or 0x423 (Belarusian) before aborting; DarkSide, Maze, Avaddon, and Cuba using GetKeyboardLayoutList or GetUserDefaultUILanguage API calls; IcedID executing cmd.exe /c chcp >&2 to retrieve the active code page; and Cuckoo Stealer checking the $LANG environment variable on macOS. Detection pivots to process creation events capturing these discovery commands, registry queries to NLS language keys, and scripting-layer invocations of locale APIs.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1614 System Location Discovery
- Sub-technique
- T1614.001 System Language Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1614/001/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image)
| eval ParentImage=lower(ParentImage)
| eval CommandLine=lower(CommandLine)
| eval ParentCommandLine=lower(ParentCommandLine)
// Pattern 1: chcp from suspicious script-interpreter or Office parent process
| eval ChcpSuspicious=if(
match(Image, "chcp\.com$")
AND match(ParentImage, "(wscript|cscript|mshta|rundll32|regsvr32|msbuild|installutil|excel|winword|powerpnt|outlook)\.exe$"),
1, 0)
// IcedID-specific chcp redirect pattern: cmd.exe /c chcp >&2
| eval ChcpRedirect=if(
match(Image, "cmd\.exe$")
AND match(CommandLine, "chcp")
AND match(CommandLine, ">&"),
1, 0)
// Pattern 2: reg.exe querying NLS language registry keys (Ryuk / DarkSide)
| eval RegNlsQuery=if(
match(Image, "reg\.exe$")
AND match(CommandLine, "(nls|instlanguage|currentcontrolset.control.nls)"),
1, 0)
// Pattern 3: PowerShell language/locale API invocations
| eval PsLangApi=if(
match(Image, "(powershell|pwsh)\.exe$")
AND match(CommandLine, "(getuserdefaultuilanguage|getsystemdefaultuilanguage|getkeyboardlayoutlist|getuserdefaultlangid|installeduiculture|currentuiculture|get-winsystemlocale|get-culture|nls.language|oslanguage|system\.globalization\.cultureinfo|win32_operatingsystem)"),
1, 0)
// Pattern 4: WMIC OS locale/language query
| eval WmicLang=if(
match(Image, "wmic\.exe$")
AND match(CommandLine, "(locale|oslanguage|codeset|countrycode)")
AND match(CommandLine, "\bos\b"),
1, 0)
// Pattern 5: Linux locale binary from script interpreter parent
| eval LinuxLocale=if(
match(Image, "/locale$")
AND match(ParentImage, "(bash|sh|zsh|python3|python|perl|ruby)$"),
1, 0)
| eval DetectionScore=ChcpSuspicious + ChcpRedirect + RegNlsQuery + PsLangApi + WmicLang + LinuxLocale
| where DetectionScore > 0
| eval DetectionTypes=mvappend(
if(ChcpSuspicious=1, "ChcpFromSuspiciousParent", null()),
if(ChcpRedirect=1, "ChcpIcedIDPattern", null()),
if(RegNlsQuery=1, "RegistryNlsQuery", null()),
if(PsLangApi=1, "PowerShellLangAPI", null()),
if(WmicLang=1, "WmicLocaleQuery", null()),
if(LinuxLocale=1, "LinuxLocaleCommand", null())
)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionTypes, DetectionScore
| sort - _timeDetects system language discovery techniques via Sysmon Event ID 1 (Process Creation). Evaluates six detection patterns: chcp execution from suspicious script-interpreter or Office application parents; the IcedID-specific chcp output redirection pattern (cmd /c chcp >&2); reg.exe NLS registry queries matching Ryuk and DarkSide geofencing behavior; PowerShell invocation of language discovery APIs; WMIC OS locale queries; and Linux locale binary execution from scripting interpreter parents. A DetectionScore field aggregates matched patterns to help analysts prioritize high-confidence events.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Software installers checking system locale to display appropriate language packs or regional setup options
- Internationalization testing and localization verification tools querying language settings during QA processes
- IT diagnostics and asset inventory scripts enumerating locale for helpdesk troubleshooting or CMDB population
- Legitimate batch automation scripts using chcp for console encoding management (e.g., codepage 65001 for UTF-8 output)
- Monitoring agents collecting system locale data as part of routine hardware and software inventory
Other platforms for T1614.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1IcedID chcp Output Redirect Pattern
Expected signal: Sysmon Event ID 1: Process Create — Image ends in cmd.exe, CommandLine contains 'chcp' and '>&'. Security Event ID 4688 (if command-line auditing enabled). The chcp output (e.g., 'Active code page: 437' for US English) is redirected to stderr.
- Test 2Ryuk Registry Language Check
Expected signal: Sysmon Event ID 1: Process Create — Image ends in reg.exe, CommandLine contains 'query', 'Nls', and 'InstallLanguage'. Security Event ID 4688 with same CommandLine if auditing is enabled. Output will display the DWORD value representing the installed language (e.g., 0x409 for English US).
- Test 3PowerShell System Language API Discovery
Expected signal: Sysmon Event ID 1: Process Create — Image ends in powershell.exe, CommandLine contains '[System.Globalization.CultureInfo]', 'InstalledUICulture', 'Get-WinSystemLocale', and 'InstallLanguage'. PowerShell ScriptBlock Log Event ID 4104 with full script content. Output includes locale names (e.g., 'en-US') and the hex language ID.
- Test 4WMIC OS Language and Locale Query
Expected signal: Sysmon Event ID 1: Process Create — Image ends in wmic.exe, CommandLine contains 'os', 'Locale', 'OSLanguage', 'CodeSet', and 'CountryCode'. Output includes the locale code (e.g., 0409 for US English), OS language code (e.g., 1033), code set (e.g., 1252), and country code (e.g., 1 for United States).
- Test 5Linux/macOS Locale Environment Discovery
Expected signal: On systems with MDE for Linux or Sysmon for Linux: process creation event for 'locale' binary with initiating process being bash/sh. On macOS: equivalent process creation events. Output includes LANG value (e.g., 'en_US.UTF-8'), LC_ALL, and locale configuration file contents. Python locale check output includes ('en_US', 'UTF-8') tuple.
References (10)
- https://attack.mitre.org/techniques/T1614/001/
- https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware
- https://securelist.com/evolution-of-jsworm-ransomware/102428/
- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
- https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
- https://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1614.001/T1614.001.md
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/windows/win32/api/winnls/nf-winnls-getuserdefaultuilanguage
- https://www.trendmicro.com/en_us/research/20/i/xcsset-mac-malware-infects-xcode-projects-abuses-zero-day-exploits.html
Unlock Pro Content
Get the full detection package for T1614.001 including response playbook, investigation guide, and atomic red team tests.