1. Home
  2. Detection Strategies
  3. Detection Strategy for System Language Discovery

Detection Strategy for System Language Discovery

Technique Detected:  System Language Discovery | T1614.001

ID: DET0565
Domains: Enterprise
Analytics: AN1561, AN1562, AN1563
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1561

Registry access to system language keys (e.g., HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language) or suspicious processes invoking locale-related APIs (e.g., GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList). Defender visibility focuses on anomalous or non-standard processes issuing these queries, especially when run by unknown binaries or scripts.

Log Sources
Data Component Name Channel
Windows Registry Key Access (DC0050) WinEventLog:Security EventCode=4657
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
OS API Execution (DC0021) ETW Calls to GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList
Mutable Elements
Field Description
ParentProcessAllowList Defines trusted processes allowed to query registry language keys or APIs. Unexpected parent-child process chains may indicate adversary use.
QueryThreshold Frequency threshold for language registry or API calls within a set time window.

AN1562

Processes executing commands to query system locale and language settings, such as 'locale', 'echo $LANG', or parsing environment variables. Suspicious activity is indicated by these commands being run by unusual users, automation scripts, or non-administrative processes.

Log Sources
Data Component Name Channel
Command Execution (DC0064) auditd:SYSCALL execve calls to /usr/bin/locale or shell execution of $LANG
Process Creation (DC0032) linux:Sysmon EventCode=1
Mutable Elements
Field Description
UserContext Unexpected or non-admin users executing locale commands may suggest malicious behavior.

AN1563

Execution of commands to query system locale and language settings, such as 'defaults read -g AppleLocale' or 'systemsetup -gettimezone'. Unusual parent processes or execution contexts of these commands may indicate adversarial discovery.

Log Sources
Data Component Name Channel
Command Execution (DC0064) macos:unifiedlog defaults read -g AppleLocale or systemsetup -gettimezone
Process Creation (DC0032) macos:osquery execve
Mutable Elements
Field Description
ExecutionPath Restrict or monitor processes outside of system utilities that query AppleLocale or system language settings.