title: System Language Discovery (T1614.001)
id: df00tech-t1614-001
status: experimental
description: "Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information is commonly used by ransomware families and targeted malware to implement geofencing logic — avoiding infection of systems in CIS or Eastern European countries to reduce law enforcement scrutiny. Real-world examples include Ryuk querying HKLM\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language for values 0x419 (Russian), 0x422 (Ukrainian), or 0x423 (Belarusian) before aborting; DarkSide, Maze, Avaddon, and Cuba using GetKeyboardLayoutList or GetUserDefaultUILanguage API calls; IcedID executing cmd.exe /c chcp >&2 to retrieve the active code page; and Cuckoo Stealer checking the $LANG environment variable on macOS. Detection pivots to process creation events capturing these discovery commands, registry queries to NLS language keys, and scripting-layer invocations of locale APIs."
references:
  - https://attack.mitre.org/techniques/T1614/001/
  - https://df00tech.com/detections/T1614.001
author: df00tech
date: 2026/03/13
tags:
  - attack.t1614.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software installers legitimately checking system locale to present appropriate language packs or regional configuration options during setup
  - Internationalization (i18n) testing tools and localization verification scripts querying language settings as part of their normal function
  - "IT diagnostics, asset management, and helpdesk scripts enumerating locale for inventory or troubleshooting regional configuration issues"
  - "chcp used in legitimate batch automation scripts for console encoding management, such as setting UTF-8 (codepage 65001) for correct output display"
  - Monitoring and observability agents collecting system locale data as part of hardware/software inventory for CMDB or ITSM platforms
level: medium