System Language Discovery

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects attempts to identify the system’s language or locale for targeting or evasion.

Severity

Attention

Rule Requirement

Criteria

Action1: actionname = "Process started" AND (( PROCESSNAME endswith "reg.exe,powershell.exe,pwsh.exe,pwsh-preview.exe,powershell_ise.exe,powershell-ise.exe,powershell.exe32,pwsh.exe32,cmd.exe,wmic.exe,cscript.exe,wscript.exe,mshta.exe,rundll32.exe,WmiPrvSE.exe,svchost.exe" OR ORIGINALFILENAME = "reg.exe,powershell.exe,pwsh.dll,pwsh-preview.exe,powershell_ise.exe,powershell-ise.exe,powershell.exe32,pwsh.exe32,cmd.exe,wmic.exe,cscript.exe,wscript.exe,mshta.exe,rundll32.exe,WmiPrvSE.exe,svchost.exe" ) AND COMMANDLINE contains "query" AND COMMANDLINE contains "Control\Nls\Language" ) select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME,Action1.DOMAIN,Action1.ORIGINALFILENAME,Action1.PARENTPROCESSID,Action1.PROCESSID,Action1.PRODUCT_NAME,Action1.SECURITYID

Detection

Execution Mode

realtime

Log Sources

Windows

Author

@Marco Pedrinazzi (@pedrinazziM) (InTheCyber)