title: System Location Discovery (T1614)
id: df00tech-t1614
status: experimental
description: "This detection identifies adversaries enumerating system locale, time zone, keyboard layout, language settings, and geographic location data to determine whether a target host falls within a desired operational geography. Attackers use this technique to implement geo-fencing logic — avoiding infection of hosts in certain regions, targeting specific populations, or evading sandbox environments. Detection covers three vectors: (1) process-based locale enumeration via PowerShell cmdlets, registry queries against NLS/TimeZoneInformation keys, and WinAPI locale functions called by suspicious parent processes; (2) outbound network connections to IP geolocation lookup services such as ipinfo.io and ip-api.com; and (3) cloud instance metadata service (IMDS) queries to 169.254.169.254 from non-cloud-management processes. Correlated alerts from multiple sub-techniques or combined with process injection and C2 beacon indicators significantly increase confidence."
references:
  - https://attack.mitre.org/techniques/T1614/
  - https://df00tech.com/detections/T1614
author: df00tech
date: 2026/03/20
tags:
  - attack.t1614
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - IT administration scripts using Get-TimeZone or tzutil.exe for asset inventory or time synchronization audits run by sysadmin accounts
  - "Legitimate cloud management agents (AzureGuestAgent.exe, waagent, google_guest_agent) querying IMDS at 169.254.169.254 for instance identity and configuration metadata"
  - Security monitoring tools and EDR agents that enumerate system locale to normalize event timestamps or support multi-region SIEM deployments
  - Software installers and update managers checking system locale to select appropriate language packs or regional configurations
  - "Penetration testing frameworks executing discovery modules (Metasploit post-exploitation, CobaltStrike Beacon commands) during authorized red team engagements"
level: medium