Home/ATT&CK Technique/System Language Discovery
ATT&CK Technique

System Language Discovery

T1614.001 · discovery

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.

There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions. For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.

On a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.

LinuxmacOSWindows

Actors Using This

14
latin_america_brazilian_organized_cybercrimeAmavaldo
latin_america_brazilian_organized_cybercrimeCasbaneiro / Metamorfo
israel_private_sector_mobile_forensics_cyber_mercenaryCellebrite
russia_speaking_organized_cybercrimeDarkSide / BlackMatter
united_statesEquation Group
latin_america_brazilian_organized_cybercrimeGrandoreiro
latin_america_brazilian_organized_cybercrimeJavali
north_koreaLazarus Group
latin_america_brazilian_organized_cybercrimeMekotio
latin_america_brazilian_organized_cybercrimeMispadu / URSA
latin_america_brazilian_organized_cybercrimeNumando
latin_america_brazilian_organized_cybercrimeOusaban
russia_speaking_organized_cybercrimePikaBot Operators / Water Curupira
russia_speaking_organized_cybercrimeQakbot / Qbot Operators

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
persistence earlier
T1542 · Pre-OS Boot ×3.40
privilege-escalation earlier
T1055.012 · Process Hollowing ×6.94
credential-access earlier
T1539 · Steal Web Session Cookie ×2.93
discovery same
T1497.003 · Time Based Checks ×4.14T1614 · System Location Discovery ×2.70
collection later
T1056.002 · GUI Input Capture ×8.93T1185 · Browser Session Hijacking ×6.80
exfiltration later
T1020 · Automated Exfiltration ×3.64
impact later
T1499 · Endpoint Denial of Service ×4.46T1485 · Data Destruction ×2.64
other same
T1027.007 · Dynamic API Resolution ×11.90T1218.007 · Msiexec ×7.32T1036.008 · Masquerade File Type ×5.95T1218.010 · Regsvr32 ×3.17T1036.001 · Invalid Code Signature ×3.02

Atomic Tests

10
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
command_promptwindowsDiscover System Language by Registry Query
Identify System language by querying the registry on an endpoint. Upon successful execution, result in number format can be looked up to correlate the language. 
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language
command_promptwindowsDiscover System Language with chcp
Identify System language with the chcp command. Upon successful execution, result in number format can be looked up to correlate the language. 
chcp
shlinuxDiscover System Language with locale
Identify System language with the `locale` command. Upon successful execution, the output will contain the environment variables that indicate the 5 character locale that can be looked up to correlate the language and territory. 
locale
shlinuxDiscover System Language with localectl
Identify System language with the `localectl` command. Upon successful execution, the key `System Locale` from the output will contain the `LANG` environment variable that has the 5 character locale result that can be looked up to correlate the language and territory. 
localectl status
shlinuxDiscover System Language by locale file
Identify System language with the by reading the locale configuration file. The locale configuration file contains the `LANG` environment variable which will contain the 5 character locale that can be looked up to correlate the language and territory. 
[ -f /etc/locale.conf ] && cat /etc/locale.conf || cat /etc/default/locale
shlinuxDiscover System Language by Environment Variable Query
Identify System language by checking the environment variables Upon successful execution, the 5 character locale result can be looked up to correlate the language and territory. Environment query commands are likely to run with a pattern match command e.g. `env | grep LANG` Note: `env` and `printenv` will usually provide the same results. `set` is also used as a builtin command that does not generate syscall telemetry but does provide a list of the environment variables. 
env | grep LANG
printenv LANG
set | grep LANG
command_promptelevatedwindowsDiscover System Language with dism.exe
The Windows utility DISM (Deployment Image Servicing and Management) can be used to display information about international settings and languages on the currently installed Windows image using an elevated terminal. 
dism.exe /online /Get-Intl
command_promptwindowsDiscover System Language by Windows API Query
This test executes a custom script called LanguageKeyboardLayout.exe which outputs the values of the following Windows API functions to the user terminal: `GetKeyboardLayout`, `GetKeyboardLayoutList`, `GetUserDefaultUILanguage`, `GetSystemDefaultUILanguage`, `GetUserDefaultLangID`. Documentation for these functions is located [here](https://learn.microsoft.com/en-us/windows/win32/api/winuser/). 
PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe
command_promptwindowsDiscover System Language with WMIC
WMIC (Windows Management Instrumentation Command-line) is a command-line tool that provides a simplified interface to query and manage Windows system configurations, processes, and hardware information using WMI. The command in this test retrieves information about the system's locale, operating system language, and multilingual user interface (MUI) languages. 
wmic /node:#{target_host} os get Locale,OSLanguage,MUILanguages /format:#{format_style}
powershellwindowsDiscover System Language with Powershell
This PowerShell script collects key system settings, such as the UI language, user language preferences, system locale, current culture, UI culture, and time zone, into a hash table. It then outputs these settings in a readable key-value format directly to the terminal. The script is simple and efficient for quickly displaying system configuration details. 
$info = @{
  UILanguage     = Get-WinUILanguageOverride
  UserLanguages  = (Get-WinUserLanguageList).LanguageTag -join ', '
  SystemLocale   = Get-WinSystemLocale
  CurrentCulture = [System.Globalization.CultureInfo]::CurrentCulture.Name
  CurrentUICulture = [System.Globalization.CultureInfo]::CurrentUICulture.Name
  TimeZone       = (Get-TimeZone).Id
}
$info.GetEnumerator() | ForEach-Object { "$($_.Name): $($_.Value)" }

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 2
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Comply & Defend

D3FEND3 defensive techniques
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin