T1614.001 - System Location Discovery: System Language Discovery

Description from ATT&CK

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check) There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Query Registry](https://attack.mitre.org/techniques/T1012) and calls to [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: CrowdStrike Ryuk January 2019) For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018) On a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.

Atomic Tests


Atomic Test #1 - Discover System Language by Registry Query

Identify System language by querying the registry on an endpoint.

Upon successful execution, result in number format can be looked up to correlate the language.

Supported Platforms: Windows

auto_generated_guid: 631d4cf1-42c9-4209-8fe9-6bd4de9421be

Attack Commands: Run with
1
command_prompt
!

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language



Atomic Test #2 - Discover System Language with chcp

Identify System language with the chcp command.

Upon successful execution, result in number format can be looked up to correlate the language.

Supported Platforms: Windows

auto_generated_guid: d91473ca-944e-477a-b484-0e80217cd789

Attack Commands: Run with
1
command_prompt
!

chcp



Atomic Test #3 - Discover System Language with locale

Identify System language with the

1
locale
command.

Upon successful execution, the output will contain the environment variables that indicate the 5 character locale that can be looked up to correlate the language and territory.

Supported Platforms: Linux

auto_generated_guid: 837d609b-845e-4519-90ce-edc3b4b0e138

Attack Commands: Run with
1
sh
!

1
locale



Atomic Test #4 - Discover System Language with localectl

Identify System language with the

1
localectl
command.

Upon successful execution, the key

1
System Locale
from the output will contain the
1
LANG
environment variable that has the 5 character locale result that can be looked up to correlate the language and territory.

Supported Platforms: Linux

auto_generated_guid: 07ce871a-b3c3-44a3-97fa-a20118fdc7c9

Attack Commands: Run with
1
sh
!

1
localectl status



Atomic Test #5 - Discover System Language by locale file

Identify System language with the by reading the locale configuration file.

The locale configuration file contains the

1
LANG
environment variable which will contain the 5 character locale that can be looked up to correlate the language and territory.

Supported Platforms: Linux

auto_generated_guid: 5d7057c9-2c8a-4026-91dd-13b5584daa69

Attack Commands: Run with
1
sh
!

1
[ -f /etc/locale.conf ] && cat /etc/locale.conf || cat /etc/default/locale

Dependencies: Run with
1
sh
!

Description: Check the location of the locale configuration file.
Check Prereq Commands:
1
[ -f /etc/locale.conf ] || [ -f /etc/default/locale ] && exit 0 || exit 1
Get Prereq Commands:
1
echo "Test only valid for systems that have locale file"



Atomic Test #6 - Discover System Language by Environment Variable Query

Identify System language by checking the environment variables

Upon successful execution, the 5 character locale result can be looked up to correlate the language and territory. Environment query commands are likely to run with a pattern match command e.g.

1
env | grep LANG

Note:

1
env
and
1
printenv
will usually provide the same results.
1
set
is also used as a builtin command that does not generate syscall telemetry but does provide a list of the environment variables.

Supported Platforms: Linux

auto_generated_guid: cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a

Attack Commands: Run with
1
sh
!

1
2
3
env | grep LANG
printenv LANG
set | grep LANG

Dependencies: Run with
1
sh
!

Description: Check if printenv command exists on the machine
Check Prereq Commands:
1
[ -x "$(command -v printenv)" ] && exit 0 || exit 1
Get Prereq Commands:
1
2
echo "printenv command does not exist"
exit 1



Atomic Test #7 - Discover System Language with dism.exe

The Windows utility DISM (Deployment Image Servicing and Management) can be used to display information about international settings and languages on the currently installed Windows image using an elevated terminal.

Supported Platforms: Windows

auto_generated_guid: 69f625ba-938f-4900-bdff-82ada3df5d9c

Attack Commands: Run with
1
command_prompt
! Elevation Required (e.g. root or admin)

dism.exe /online /Get-Intl



Atomic Test #8 - Discover System Language by Windows API Query

This test executes a custom script called LanguageKeyboardLayout.exe which outputs the values of the following Windows API functions to the user terminal:

1
GetKeyboardLayout
,
1
GetKeyboardLayoutList
,
1
GetUserDefaultUILanguage
,
1
GetSystemDefaultUILanguage
,
1
GetUserDefaultLangID
.

Documentation for these functions is located here.

Supported Platforms: Windows

auto_generated_guid: e39b99e9-ce7f-4b24-9c88-0fbad069e6c6

Attack Commands: Run with
1
command_prompt
!

PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe

Dependencies: Run with
1
powershell
!

Description: LanguageKeyboardLayout.exe must exist on disk (default location: PathToAtomicsFolder..\ExternalPayloads\LanguageKeyboardLayout.exe)
Check Prereq Commands:
1
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe") {exit 0} else {exit 1}
Get Prereq Commands:
1
2
New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe") -ErrorAction Ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1614.001/bin/LanguageKeyboardLayout.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe"