Home/ATT&CK Technique/System Location Discovery
ATT&CK Technique

System Location Discovery

T1614 · discovery

Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.

Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host. In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance. Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.

IaaSLinuxmacOSWindows

Actors Using This

14
latin_america_brazilian_organized_cybercrimeAmavaldo
iranOilRig
iranAPT35
chinaAPT40
china_state_sponsored_mandiant_canonical_microsoft_mulberry_typhoonAPT5 (UNC2630 / UNC2717 / Mulberry Typhoon)
chinaAquatic Panda
russiaAwfulShred
russia_speaking_cybercrime8Base
iran_linked_dragos_tracked_ics_activity_group_cyberav3ngers_persona_2024_disclosedBAUXITE
russia_speaking_cybercrimeBianLian
chinaBillbug
russia_apt_sandwormBlackEnergy
commercial_cybercrime_uefi_bootkitBlackLotus
ransomware_raas_independent_emergenceCactus

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
initial-access earlier
T1200 · Hardware Additions ×2.70T0865 · Spearphishing Attachment ×2.70T0866 · Exploitation of Remote Services ×2.48T0822 · External Remote Services ×2.40
persistence earlier
T1556.001 · Domain Controller Authentication ×2.70
privilege-escalation earlier
T1055.012 · Process Hollowing ×2.70
discovery same
T1614.001 · System Language Discovery ×2.70T0846 · Remote System Discovery ×2.40
collection later
T0801 · Monitor Process State ×2.70
impact later
T0831 · Manipulation of Control ×2.70T0813 · Denial of Control ×2.70
other same
T0881 · Service Stop ×2.70T1562.003 · Impair Command History Logging ×2.70T0836 · Modify Parameter ×2.70T1036.008 · Masquerade File Type ×2.37

Atomic Tests

2
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptwindowsGet geolocation info through IP-Lookup services using curl Windows
Get geolocation info through IP-Lookup services using curl Windows. The default URL of the IP-Lookup service is https://ipinfo.io/. References: https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/ 
#{curl_path} -k #{ip_lookup_url}
bashmacos, linuxGet geolocation info through IP-Lookup services using curl freebsd, linux or macos
Get geolocation info through IP-Lookup services using curl Windows. The default URL of the IP-Lookup service is https://ipinfo.io/. References: https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/ 
curl -k #{ip_lookup_url}

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) 127
Vuln scan (Nuclei) none

Comply & Defend

D3FEND2 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin