T1614 Microsoft Sentinel · KQL

Detect System Location Discovery in Microsoft Sentinel

This detection identifies adversaries enumerating system locale, time zone, keyboard layout, language settings, and geographic location data to determine whether a target host falls within a desired operational geography. Attackers use this technique to implement geo-fencing logic — avoiding infection of hosts in certain regions, targeting specific populations, or evading sandbox environments. Detection covers three vectors: (1) process-based locale enumeration via PowerShell cmdlets, registry queries against NLS/TimeZoneInformation keys, and WinAPI locale functions called by suspicious parent processes; (2) outbound network connections to IP geolocation lookup services such as ipinfo.io and ip-api.com; and (3) cloud instance metadata service (IMDS) queries to 169.254.169.254 from non-cloud-management processes. Correlated alerts from multiple sub-techniques or combined with process injection and C2 beacon indicators significantly increase confidence.

MITRE ATT&CK

Tactic
Discovery
Technique
T1614 System Location Discovery
Canonical reference
https://attack.mitre.org/techniques/T1614/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let GeoIPDomains = dynamic(["ipinfo.io", "ip-api.com", "ipgeolocation.io", "freegeoip.app", "ipstack.com", "geoplugin.net", "geoip.ubuntu.com", "api.ipify.org", "ifconfig.me", "checkip.amazonaws.com", "myexternalip.com", "ipapi.co"]);
let SuspiciousParents = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "wmic.exe"]);
// Vector 1: Process-based locale/timezone discovery
let LocaleProcessEvents =
    DeviceProcessEvents
    | where TimeGenerated > ago(1h)
    | where (
        // PowerShell locale cmdlets
        (FileName =~ "powershell.exe" or FileName =~ "pwsh.exe")
        and ProcessCommandLine has_any ("Get-WinSystemLocale", "Get-Culture", "Get-UICulture", "Get-TimeZone", "CultureInfo", "CurrentCulture", "CurrentUICulture", "[System.Globalization", "GetLocaleInfo", "GetSystemDefaultLCID", "GetSystemDefaultUILanguage")
    )
    or (
        // Registry queries for NLS/locale/timezone
        FileName =~ "reg.exe"
        and ProcessCommandLine has_any ("Nls\\", "TimeZoneInformation", "Keyboard Layout", "International", "MUI", "Language")
        and ProcessCommandLine has "query"
    )
    or (
        // tzutil timezone query
        FileName =~ "tzutil.exe"
        and ProcessCommandLine has "/g"
    )
    or (
        // WMIC locale queries
        FileName =~ "wmic.exe"
        and ProcessCommandLine has_any ("timezone", "locale", "os get locale", "win32_operatingsystem")
    )
    | where InitiatingProcessFileName has_any (SuspiciousParents)
       or InitiatingProcessParentFileName has_any (SuspiciousParents)
    | extend DetectionVector = "ProcessLocaleDiscovery"
    | extend RiskScore = case(
        InitiatingProcessParentFileName has_any (SuspiciousParents), 75,
        InitiatingProcessFileName has_any (SuspiciousParents), 60,
        50
    )
    | project TimeGenerated, DeviceId, DeviceName, AccountName, AccountDomain,
              FileName, ProcessCommandLine, FolderPath,
              InitiatingProcessFileName, InitiatingProcessCommandLine,
              InitiatingProcessParentFileName, DetectionVector, RiskScore;
// Vector 2: Network-based IP geolocation lookups
let GeoIPNetworkEvents =
    DeviceNetworkEvents
    | where TimeGenerated > ago(1h)
    | where RemoteUrl has_any (GeoIPDomains)
       or (RemoteIP == "169.254.169.254" and RemotePort in (80, 443)  // Cloud IMDS
           and InitiatingProcessFileName !in~ ("AzureGuestAgent.exe", "aws-cfn-bootstrap", "google_guest_agent", "waagent", "WindowsAzureGuestAgent.exe"))
    | extend DetectionVector = case(
        RemoteIP == "169.254.169.254", "CloudIMDSQuery",
        "GeoIPLookup"
    )
    | extend RiskScore = case(
        RemoteIP == "169.254.169.254"
        and InitiatingProcessFileName !in~ ("AzureGuestAgent.exe", "waagent", "google_guest_agent"), 80,
        RemoteUrl has_any ("ipinfo.io", "ip-api.com", "ipgeolocation.io"), 70,
        55
    )
    | project TimeGenerated, DeviceId, DeviceName,
              InitiatingProcessAccountName, InitiatingProcessFileName,
              InitiatingProcessCommandLine, InitiatingProcessParentFileName,
              RemoteUrl, RemoteIP, RemotePort, Protocol, DetectionVector, RiskScore;
// Combine and surface high-risk events
union LocaleProcessEvents, GeoIPNetworkEvents
| where RiskScore >= 55
| sort by RiskScore desc, TimeGenerated desc
medium severity medium confidence

Detects two primary attack vectors for System Location Discovery: (1) suspicious process chains invoking locale/timezone enumeration via PowerShell cmdlets (Get-WinSystemLocale, Get-Culture, Get-TimeZone), registry queries against HKLM\SYSTEM\CurrentControlSet\Control\Nls and TimeZoneInformation, tzutil.exe queries, and WMIC locale lookups — all initiated from high-risk parent processes; (2) outbound network connections to known IP geolocation services (ipinfo.io, ip-api.com, ipgeolocation.io, etc.) and unauthorized queries to the cloud instance metadata service (169.254.169.254) from non-cloud-agent processes. Each event is scored by risk based on process ancestry and destination specificity.

Data Sources

Microsoft Defender for EndpointMicrosoft Sentinel

Required Tables

DeviceProcessEventsDeviceNetworkEvents

False Positives & Tuning

  • IT administration scripts using Get-TimeZone or tzutil.exe for asset inventory or time synchronization audits run by sysadmin accounts
  • Legitimate cloud management agents (AzureGuestAgent.exe, waagent, google_guest_agent) querying IMDS at 169.254.169.254 for instance identity and configuration metadata
  • Security monitoring tools and EDR agents that enumerate system locale to normalize event timestamps or support multi-region SIEM deployments
  • Software installers and update managers checking system locale to select appropriate language packs or regional configurations
  • Penetration testing frameworks executing discovery modules (Metasploit post-exploitation, CobaltStrike Beacon commands) during authorized red team engagements
Download portable Sigma rule (.yml)

Other platforms for T1614

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PowerShell System Locale and Timezone Enumeration

    Expected signal: Sysmon EventCode 1 with Image=powershell.exe and CommandLine containing Get-WinSystemLocale, Get-Culture, Get-UICulture, Get-TimeZone. Windows Security EventID 4688 if process creation auditing is enabled.

  2. Test 2Registry Query for NLS Locale and Keyboard Layout

    Expected signal: Sysmon EventCode 1 with Image=reg.exe and CommandLine containing 'Nls', 'Locale', 'TimeZoneInformation', 'Keyboard Layout'. Sysmon EventCode 12/13 (registry query events) if registry monitoring is enabled.

  3. Test 3IP Geolocation Lookup via HTTP API

    Expected signal: Sysmon EventCode 3 with DestinationHostname containing 'ip-api.com' and 'ipinfo.io'. Sysmon EventCode 22 (DNS query) for both domains. Network proxy logs showing HTTP GET requests to those endpoints.

  4. Test 4Linux Locale and Timezone Discovery

    Expected signal: Auditd EXECVE records for locale, localectl, timedatectl commands. Syslog entries for process execution. EDR process creation events showing bash executing these commands.

  5. Test 5Cloud Instance Metadata Service Geographic Discovery

    Expected signal: Sysmon EventCode 3 with DestinationIP=169.254.169.254 and DestinationPort=80, InitiatingProcess=powershell.exe. Network events confirming TCP connection attempt to link-local metadata address.

Last updated: 2026-03-20 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1614 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (1)

Related Techniques

T1033System Owner/User DiscoveryT1016System Network Configuration DiscoveryT1016.001Internet Connection DiscoveryT1497.001System ChecksT1082System Information DiscoveryT1614.001System Language DiscoveryT1069Permission Groups DiscoveryT1613Container and Resource Discovery

Same Tactic: Discovery

Popular Detections