T1614 System Location Discovery

Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from System Location Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)

Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)

View in MITRE ATT&CK®

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Profile host Enumerating the state of the current host related-to T1614 System Location Discovery

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1614 System Location Discovery
Comments
This capability can detect if commands associated with this technique such as GetLocaleInfoW are executed.
References

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1614.001 System Language Discovery 2