Try it using Invoke-Atomic

System Location Discovery: System Language Discovery

Description from ATT&CK

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)

There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions.(Citation: CrowdStrike Ryuk January 2019)

For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language</code> or parsing the outputs of Windows API functions <code>GetUserDefaultUILanguage</code>, <code>GetSystemDefaultUILanguage</code>, <code>GetKeyboardLayoutList</code> and <code>GetUserDefaultLangID</code>.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018)

On a macOS or Linux system, adversaries may query <code>locale</code> to retrieve the value of the <code>$LANG</code> environment variable. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Discover System Language by Registry Query

Identify System language by querying the registry on an endpoint.

Upon successful execution, result in number format can be looked up to correlate the language.

Supported Platforms: windows

auto_generated_guid: 631d4cf1-42c9-4209-8fe9-6bd4de9421be

Inputs:

None

Attack Commands: Run with command_prompt!

1
2
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language

Atomic Test #2 - Discover System Language with chcp

Identify System language with the chcp command.

Upon successful execution, result in number format can be looked up to correlate the language.

Supported Platforms: windows

auto_generated_guid: d91473ca-944e-477a-b484-0e80217cd789

Inputs:

None

Attack Commands: Run with command_prompt!

1
2
chcp

source