System Language Discovery (T1614.001)

Information

• Name: System Language Discovery

• ID: T1614.001

• Tactics:

• Technique:

Introduction

System Language Discovery (T1614.001) is a sub-technique within the MITRE ATT&CK framework under the Discovery tactic. Attackers leverage this technique to identify the system's language settings, regional configurations, or localization preferences. Gathering this information helps adversaries tailor their attacks, evade detection, and ensure successful payload execution by matching the victim's environment specifics.

Deep Dive Into Technique

System Language Discovery involves adversaries querying operating system settings or configurations to determine the language or regional settings of a targeted system. Attackers typically perform this discovery using built-in system utilities, commands, APIs, or scripts. Common methods include:

• Windows-based methods:

  • Using command-line utilities such as systeminfo, wmic, or PowerShell commands:

    Copy

    systeminfo | findstr /B /C:"System Locale"

    Copy

    Get-WinSystemLocale

  • Querying registry keys directly to retrieve language and locale settings:

    Copy

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language

  • Leveraging Windows Management Instrumentation (WMI) to programmatically access language settings.

• Linux-based methods:

  • Using environment commands like locale:

    Copy

    locale

  • Checking environment variables such as LANG or LC_ALL:

    Copy

    echo $LANG

  • Reading configuration files such as /etc/default/locale.

• macOS-based methods:

  • Querying system settings using commands like:

    Copy

    defaults read -g AppleLocale

  • Checking language preferences through system configuration files or environment variables.

Adversaries often automate these queries through scripting languages such as PowerShell, Python, or Bash scripts. They may incorporate this discovery stage into malware or reconnaissance scripts to automatically adjust their subsequent actions based on the discovered settings.

When this Technique is Usually Used

System Language Discovery is typically employed during the early reconnaissance stages of an attack lifecycle. It can also appear during malware execution or persistence phases to ensure payload compatibility or to evade certain defensive measures. Common scenarios include:

• Initial reconnaissance: Attackers perform preliminary checks to gather intelligence about the target environment before launching more targeted attacks.

• Malware execution and payload customization: Malware may query language settings to determine appropriate payload delivery, ensuring compatibility and reducing the likelihood of detection.

• Sandbox and analysis environment evasion: Malware authors use language detection to identify analysis environments or sandboxes (which often have default language settings) and terminate execution accordingly.

• Targeted phishing campaigns: Attackers determine the victim's language settings to craft more convincing phishing emails or messages tailored to regional languages and cultural contexts.

How this Technique is Usually Detected

Detection of System Language Discovery involves monitoring system processes, command executions, and registry or configuration file access patterns. Specific methods and tools include:

• Command-line auditing and logging:

  • Enable detailed command-line logging to track execution of system utilities (systeminfo, wmic, PowerShell cmdlets) and scripts that query language settings.

• Registry monitoring (Windows):

  • Monitor access or queries to language-related registry keys:

    Copy

    HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language

• File access monitoring (Linux/macOS):

  • Track accesses to configuration files (/etc/default/locale) or queries to environment variables (LANG, LC_ALL).

• Endpoint Detection and Response (EDR) tools:

  • EDR solutions can detect abnormal scripts, unusual command-line executions, or suspicious API calls related to system language discovery.

• Behavioral analytics and SIEM solutions:

  • Correlate and analyze logs to detect anomalous discovery patterns and identify suspicious behaviors indicative of reconnaissance activity.

Indicators of Compromise (IoCs) and suspicious activities include:

• Unusual use of system utilities (systeminfo, wmic, locale) by uncommon processes or scripts.

• Repeated or scripted queries of language settings or locale configurations.

• Access to language-related registry keys or configuration files by unexpected processes or users.

Why it is Important to Detect This Technique

Early detection of System Language Discovery is crucial due to its role as a precursor to more sophisticated attacks. Identifying this technique promptly allows defenders to:

• Gain early warning of reconnaissance activity: Discovering adversaries early in their attack lifecycle increases the likelihood of preventing further compromise.

• Prevent targeted or tailored attacks: Attackers often leverage language discovery to customize malware or phishing campaigns; early detection disrupts these tailored attacks.

• Identify and mitigate evasion techniques: Malware frequently employs language detection to evade sandbox environments; detecting this behavior helps security teams identify and neutralize evasive malware.

• Reduce potential impacts: Early detection limits the adversary's ability to escalate privileges, move laterally, or exfiltrate data, thereby reducing overall damage to systems and networks.

Failure to detect this technique can lead to:

• Successful evasion of security controls.

• Increased chance of successful targeted attacks.

• Greater risk of data exfiltration, lateral movement, and persistent compromise.

Examples

Real-world examples of System Language Discovery include:

• TrickBot Malware:

  • TrickBot has been observed querying Windows language settings using PowerShell commands and registry queries to determine localization. This allows TrickBot operators to deliver tailored payloads and evade sandbox environments that often use default English-language settings.

• Emotet Malware:

  • Emotet has used system language detection to customize phishing emails and payloads, increasing the likelihood of successful infection within targeted regions. It uses scripts and registry queries to retrieve language settings and adjust its operations accordingly.

• APT29 (Cozy Bear):

  • APT29 has leveraged system reconnaissance techniques, including language and localization queries, to tailor their spear-phishing campaigns and malware payloads. This approach enhances their ability to evade detection and effectively compromise targeted systems.

• Sandbox Evasion Techniques:

  • Malware samples frequently perform language discovery to detect sandbox environments. For instance, malware may terminate execution if it detects a language setting commonly associated with analysis environments, such as English (US), thereby avoiding analysis and prolonging operational longevity.

These examples illustrate how adversaries practically apply System Language Discovery to enhance their attack effectiveness and evade detection, underscoring the importance of robust detection and prevention strategies.