1. Home
  2. Techniques
  3. Enterprise
  4. System Location Discovery

System Location Discovery

ID Name
T1614.001 System Language Discovery

Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.[1][2][3] Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.[1] In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.[4][5]

Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.[6][2]

ID: T1614
Sub-techniques:  T1614.001
Tactic: Discovery
Platforms: IaaS, Linux, Windows, macOS
Permissions Required: User
Contributors: Hiroki Nagahama, NEC Corporation; Katie Nickels, Red Canary; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India; Wes Hurd
Version: 1.0
Created: 01 April 2021
Last Modified: 15 October 2021

Procedure Examples

ID Name Description
S0115 Crimson

Crimson can identify the geographical location of a victim host.[7]

S0673 DarkWatchman

DarkWatchman can identity the OS locale of a compromised host.[8]
S0632 GrimAgent

GrimAgent can identify the country code on a compromised host.[9]
S0481 Ragnar Locker

Before executing malicious code, Ragnar Locker checks the Windows API GetLocaleInfoW and doesn't encrypt files if it finds a former Soviet country.[1]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0009 Process OS API Execution
Process Creation

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

Monitor processes and command-line arguments for actions that could be taken to gather system location information. Remote access tools with built-in features may interact directly with the Windows API, such as calling GetLocaleInfoW to gather information.[1]

Monitor traffic flows to geo-location service provider sites, such as ip-api and ipinfo.

References

  1. FBI. (2020, November 19). Indicators of Compromise Associated with Ragnar Locker Ransomware. Retrieved April 1, 2021.
  2. Wisniewski, C. (2016, May 3). Location-based threats: How cybercriminals target you based on where you live. Retrieved April 1, 2021.
  3. Abrams, L. (2020, October 23). New RAT malware gets commands via Discord, has ransomware feature. Retrieved April 1, 2021.
  4. Amazon. (n.d.). Instance identity documents. Retrieved April 2, 2021.
  5. Microsoft. (2021, February 21). Azure Instance Metadata Service (Windows). Retrieved April 2, 2021.
  1. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved April 1, 2021.
  2. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  3. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  4. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.