DET0565 Detection Strategy for System Language Discovery
| Item |
Value |
| ID |
DET0565 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1614.001 (System Language Discovery)
Analytics
Windows
AN1561
Registry access to system language keys (e.g., HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language) or suspicious processes invoking locale-related APIs (e.g., GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList). Defender visibility focuses on anomalous or non-standard processes issuing these queries, especially when run by unknown binaries or scripts.
Log Sources
Mutable Elements
| Field |
Description |
| ParentProcessAllowList |
Defines trusted processes allowed to query registry language keys or APIs. Unexpected parent-child process chains may indicate adversary use. |
| QueryThreshold |
Frequency threshold for language registry or API calls within a set time window. |
Linux
AN1562
Processes executing commands to query system locale and language settings, such as ‘locale’, ‘echo $LANG’, or parsing environment variables. Suspicious activity is indicated by these commands being run by unusual users, automation scripts, or non-administrative processes.
Log Sources
Mutable Elements
| Field |
Description |
| UserContext |
Unexpected or non-admin users executing locale commands may suggest malicious behavior. |
macOS
AN1563
Execution of commands to query system locale and language settings, such as ‘defaults read -g AppleLocale’ or ‘systemsetup -gettimezone’. Unusual parent processes or execution contexts of these commands may indicate adversarial discovery.
Log Sources
Mutable Elements
| Field |
Description |
| ExecutionPath |
Restrict or monitor processes outside of system utilities that query AppleLocale or system language settings. |