Detect System Location Discovery in Google Chronicle
This detection identifies adversaries enumerating system locale, time zone, keyboard layout, language settings, and geographic location data to determine whether a target host falls within a desired operational geography. Attackers use this technique to implement geo-fencing logic — avoiding infection of hosts in certain regions, targeting specific populations, or evading sandbox environments. Detection covers three vectors: (1) process-based locale enumeration via PowerShell cmdlets, registry queries against NLS/TimeZoneInformation keys, and WinAPI locale functions called by suspicious parent processes; (2) outbound network connections to IP geolocation lookup services such as ipinfo.io and ip-api.com; and (3) cloud instance metadata service (IMDS) queries to 169.254.169.254 from non-cloud-management processes. Correlated alerts from multiple sub-techniques or combined with process injection and C2 beacon indicators significantly increase confidence.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1614 System Location Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1614/
YARA-L Detection Query
rule detect_system_location_discovery {
meta:
author = "Argus"
description = "Detects system location and language discovery used for geofencing"
severity = "MEDIUM"
technique = "T1614"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.target.process.file.full_path, `ipconfig\.exe|systeminfo\.exe|locale|localectl|timedatectl`) nocase or
re.regex($e.target.process.command_line, `Get-WinSystemLocale|Get-Culture|nlsinfo`) nocase
)
not $e.principal.user.windows_sid = "S-1-5-18"
condition:
$e
}Google Chronicle YARA-L 2.0 rule for T1614 detection using UDM event types and field matching. Detects two primary attack vectors for System Location Discovery: (1) suspicious process chains invo
Data Sources
Required Tables
False Positives & Tuning
- IT administration scripts using Get-TimeZone or tzutil.exe for asset inventory or time synchronization audits run by sysadmin accounts
- Legitimate cloud management agents (AzureGuestAgent.exe, waagent, google_guest_agent) querying IMDS at 169.254.169.254 for instance identity and configuration metadata
- Security monitoring tools and EDR agents that enumerate system locale to normalize event timestamps or support multi-region SIEM deployments
- Software installers and update managers checking system locale to select appropriate language packs or regional configurations
- Penetration testing frameworks executing discovery modules (Metasploit post-exploitation, CobaltStrike Beacon commands) during authorized red team engagements
Other platforms for T1614
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PowerShell System Locale and Timezone Enumeration
Expected signal: Sysmon EventCode 1 with Image=powershell.exe and CommandLine containing Get-WinSystemLocale, Get-Culture, Get-UICulture, Get-TimeZone. Windows Security EventID 4688 if process creation auditing is enabled.
- Test 2Registry Query for NLS Locale and Keyboard Layout
Expected signal: Sysmon EventCode 1 with Image=reg.exe and CommandLine containing 'Nls', 'Locale', 'TimeZoneInformation', 'Keyboard Layout'. Sysmon EventCode 12/13 (registry query events) if registry monitoring is enabled.
- Test 3IP Geolocation Lookup via HTTP API
Expected signal: Sysmon EventCode 3 with DestinationHostname containing 'ip-api.com' and 'ipinfo.io'. Sysmon EventCode 22 (DNS query) for both domains. Network proxy logs showing HTTP GET requests to those endpoints.
- Test 4Linux Locale and Timezone Discovery
Expected signal: Auditd EXECVE records for locale, localectl, timedatectl commands. Syslog entries for process execution. EDR process creation events showing bash executing these commands.
- Test 5Cloud Instance Metadata Service Geographic Discovery
Expected signal: Sysmon EventCode 3 with DestinationIP=169.254.169.254 and DestinationPort=80, InitiatingProcess=powershell.exe. Network events confirming TCP connection attempt to link-local metadata address.
References (10)
- https://attack.mitre.org/techniques/T1614/
- https://www.fbi.gov/news/press-releases/fbi-issues-flash-alert-on-ragnar-locker-ransomware
- https://news.sophos.com/en-us/2016/05/03/location-based-malware/
- https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
- https://docs.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service
- https://securelist.com/transparent-tribe-part-2/98233/
- https://www.prevailion.com/darkwatchman-new-fileless-techniques/
- https://www.welivesecurity.com/2022/03/01/isaagoras-plugx-mustang-panda/
- https://www.malwarebytes.com/blog/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-locations-and-tasks
Unlock Pro Content
Get the full detection package for T1614 including response playbook, investigation guide, and atomic red team tests.