1. Home
  2. Detection Strategies
  3. Detection Strategy for System Location Discovery

Detection Strategy for System Location Discovery

Technique Detected:  System Location Discovery | T1614

ID: DET0043
Domains: Enterprise
Analytics: AN0119, AN0120, AN0121, AN0122
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0119

Unusual process or API usage attempting to query system locale, timezone, or keyboard layout (e.g., calls to GetLocaleInfoW, GetTimeZoneInformation). Detection can be enhanced by correlating with processes not typically associated with system configuration queries, such as unknown binaries or scripts.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Security EventCode=4688
OS API Execution (DC0021) etw:Microsoft-Windows-Kernel-Base GetLocaleInfoW, GetTimeZoneInformation API calls
Mutable Elements
Field Description
ParentProcessAllowList Defines trusted processes expected to call locale APIs. Deviations may indicate adversarial activity.
TimeWindow Specifies correlation window for API calls and suspicious process execution (e.g., 2m).

AN0120

Detection of commands accessing locale, timezone, or language settings such as 'locale', 'timedatectl', or parsing /etc/timezone. Anomalous execution by unusual users or automation scripts should be flagged.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL execve calls to locale, timedatectl, or cat /etc/timezone
Process Creation (DC0032) linux:Sysmon EventCode=1
Mutable Elements
Field Description
UserContext Unexpected users running location discovery commands may indicate malicious behavior.

AN0121

Detection of system calls or commands accessing system locale (e.g., 'defaults read -g AppleLocale', 'systemsetup -gettimezone'). Correlate with unusual parent processes or execution contexts.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog defaults read -g AppleLocale, systemsetup -gettimezone
Process Creation (DC0032) macos:osquery execve
Mutable Elements
Field Description
ExecutionPath Restrict known binaries allowed to query system locale on macOS.

AN0122

Detection of queries to instance metadata services (e.g., AWS IMDS, Azure Metadata Service) for availability zone, region, or network geolocation details. Correlation with non-management accounts or non-standard workloads may indicate adversary reconnaissance.

Log Sources
Data Component Name Channel
OS API Execution (DC0021) AWS:CloudTrail GetMetadata, DescribeInstanceIdentity
Network Traffic Content (DC0085) azure:vpcflow HTTP requests to 169.254.169.254 or Azure Metadata endpoints
Mutable Elements
Field Description
MetadataQueryAllowList Expected services that query cloud metadata APIs. Any additional sources may be malicious.