System Language Discovery via Reg.Exe
Adversaries use reg.exe to query system language settings in order to determine the geographic location of victims, customize payloads, or evade detection by avoiding certain locales.
Attackers may perform system language discovery to gather information about a compromised host. This information can be used to tailor attacks to specific geographic regions, customize payloads, or avoid targeting systems in certain locales to evade detection. This activity is typically performed using the reg.exe utility, a built-in Windows command-line tool for interacting with the registry. While not inherently malicious, the use of reg.exe to specifically query language settings (e.g., Control\Nls\Language) is a common technique used by threat actors during the reconnaissance phase of an attack. Understanding the target's language and location allows for more effective social engineering, localized malware deployment, and better evasion strategies.
Attack Chain
- The attacker gains initial access to the target system through some method.
- The attacker executes
reg.exewith thequeryparameter to retrieve registry values. - The
CommandLineincludesqueryandControl\Nls\Languageto specify the target registry key. reg.exequeries the registry for system language settings underHKLM\SYSTEM\CurrentControlSet\Control\Nls\Language.- The attacker parses the output of the
reg querycommand to extract the installed system languages and regional settings. - The discovered language information is used to customize subsequent stages of the attack, such as delivering localized payloads or avoiding specific regions.
- The attacker uses this information to make decisions about further actions on the compromised system, such as tailored payload deployment.
Impact
Successful system language discovery allows attackers to understand the geographic location of the victim, enabling them to tailor attacks for specific regions. This can lead to more effective social engineering, the deployment of localized malware, or evasion of detection by avoiding systems in certain locales. While this activity itself doesn't cause direct harm, it serves as a crucial step in reconnaissance for a larger attack, potentially leading to data exfiltration, ransomware deployment, or other malicious outcomes.
Recommendation
- Deploy the Sigma rule "System Language Discovery via Reg.Exe" to your SIEM to detect suspicious usage of
reg.exequerying language settings (logsource: process_creation/windows). - Investigate any process creations of
reg.exewith command-line arguments containing bothqueryandControl\Nls\Language. - Monitor process execution for command lines that contain 'reg.exe' and 'Control\Nls\Language' to identify potential reconnaissance activity.
Detection coverage 2
System Language Discovery via Reg.Exe CommandLine
mediumDetects the usage of Reg.Exe to query system language settings using command line.
System Language Discovery via Reg.Exe TargetObject
mediumDetects the usage of Reg.Exe to query system language settings using TargetObject.
Detection queries are available on the platform. Get full rules →