Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions.(Citation: CrowdStrike Ryuk January 2019)
For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Languageor parsing the outputs of Windows API functionsGetUserDefaultUILanguage,GetSystemDefaultUILanguage,GetKeyboardLayoutListandGetUserDefaultLangID.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018)On a macOS or Linux system, adversaries may query
localeto retrieve the value of the$LANGenvironment variable.
-
Atomic Test #6 - Discover System Language by Environment Variable Query
-
Atomic Test #8 - Discover System Language by Windows API Query
Identify System language by querying the registry on an endpoint.
Upon successful execution, result in number format can be looked up to correlate the language.
Supported Platforms: Windows
auto_generated_guid: 631d4cf1-42c9-4209-8fe9-6bd4de9421be
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\LanguageIdentify System language with the chcp command.
Upon successful execution, result in number format can be looked up to correlate the language.
Supported Platforms: Windows
auto_generated_guid: d91473ca-944e-477a-b484-0e80217cd789
chcpIdentify System language with the locale command.
Upon successful execution, the output will contain the environment variables that indicate the 5 character locale that can be looked up to correlate the language and territory.
Supported Platforms: Linux
auto_generated_guid: 837d609b-845e-4519-90ce-edc3b4b0e138
localeIdentify System language with the localectl command.
Upon successful execution, the key System Locale from the output will contain the
LANG environment variable that has the 5 character locale result that can be looked
up to correlate the language and territory.
Supported Platforms: Linux
auto_generated_guid: 07ce871a-b3c3-44a3-97fa-a20118fdc7c9
localectl statusIdentify System language with the by reading the locale configuration file.
The locale configuration file contains the LANG environment variable which
will contain the 5 character locale that can be looked up to correlate the
language and territory.
Supported Platforms: Linux
auto_generated_guid: 5d7057c9-2c8a-4026-91dd-13b5584daa69
[ -f /etc/locale.conf ] && cat /etc/locale.conf || cat /etc/default/locale[ -f /etc/locale.conf ] || [ -f /etc/default/locale ] && exit 0 || exit 1echo "Test only valid for systems that have locale file"Identify System language by checking the environment variables
Upon successful execution, the 5 character locale result can be looked up to
correlate the language and territory. Environment query commands are likely
to run with a pattern match command e.g. env | grep LANG
Note: env and printenv will usually provide the same results. set is
also used as a builtin command that does not generate syscall telemetry but
does provide a list of the environment variables.
Supported Platforms: Linux
auto_generated_guid: cb8f7cdc-36c4-4ed0-befc-7ad7d24dfd7a
env | grep LANG
printenv LANG
set | grep LANG[ -x "$(command -v printenv)" ] && exit 0 || exit 1echo "printenv command does not exist"
exit 1The Windows utility DISM (Deployment Image Servicing and Management) can be used to display information about international settings and languages on the currently installed Windows image using an elevated terminal.
Supported Platforms: Windows
auto_generated_guid: 69f625ba-938f-4900-bdff-82ada3df5d9c
dism.exe /online /Get-IntlThis test executes a custom script called LanguageKeyboardLayout.exe which outputs the values of the following Windows API functions to the user terminal:
GetKeyboardLayout, GetKeyboardLayoutList, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetUserDefaultLangID.
Documentation for these functions is located here.
Supported Platforms: Windows
auto_generated_guid: e39b99e9-ce7f-4b24-9c88-0fbad069e6c6
PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exeDescription: LanguageKeyboardLayout.exe must exist on disk (default location: PathToAtomicsFolder..\ExternalPayloads\LanguageKeyboardLayout.exe)
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe") {exit 0} else {exit 1}New-Item -Type Directory (split-path "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe") -ErrorAction Ignore | Out-Null
Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1614.001/bin/LanguageKeyboardLayout.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\LanguageKeyboardLayout.exe"WMIC (Windows Management Instrumentation Command-line) is a command-line tool that provides a simplified interface to query and manage Windows system configurations, processes, and hardware information using WMI.
The command in this test retrieves information about the system's locale, operating system language, and multilingual user interface (MUI) languages.
Supported Platforms: Windows
auto_generated_guid: 4758003d-db14-4959-9c0f-9e87558ac69e
| Name | Description | Type | Default Value |
|---|---|---|---|
| target_host | The host that will be queried. |
If the host contains special characters, it may need to be wrapped in double quotes or double + single quotes.
For example: "DESKTOP-123" or "'DESKTOP-123'". | string | localhost| | format_style | You can specify multipe output formats for wmic such as table, list and csv. | string | table|
wmic /node:#{target_host} os get Locale,OSLanguage,MUILanguages /format:#{format_style}This PowerShell script collects key system settings, such as the UI language, user language preferences, system locale, current culture, UI culture, and time zone, into a hash table.
It then outputs these settings in a readable key-value format directly to the terminal. The script is simple and efficient for quickly displaying system configuration details.
Supported Platforms: Windows
auto_generated_guid: 1f23bfe8-36d4-49ce-903a-19a1e8c6631b
$info = @{
UILanguage = Get-WinUILanguageOverride
UserLanguages = (Get-WinUserLanguageList).LanguageTag -join ', '
SystemLocale = Get-WinSystemLocale
CurrentCulture = [System.Globalization.CultureInfo]::CurrentCulture.Name
CurrentUICulture = [System.Globalization.CultureInfo]::CurrentUICulture.Name
TimeZone = (Get-TimeZone).Id
}
$info.GetEnumerator() | ForEach-Object { "$($_.Name): $($_.Value)" }