{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/reg.exe/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["discovery","system-language","reg.exe"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers may perform system language discovery to gather information about a compromised host. This information can be used to tailor attacks to specific geographic regions, customize payloads, or avoid targeting systems in certain locales to evade detection. This activity is typically performed using the \u003ccode\u003ereg.exe\u003c/code\u003e utility, a built-in Windows command-line tool for interacting with the registry. While not inherently malicious, the use of \u003ccode\u003ereg.exe\u003c/code\u003e to specifically query language settings (e.g., \u003ccode\u003eControl\\Nls\\Language\u003c/code\u003e) is a common technique used by threat actors during the reconnaissance phase of an attack. Understanding the target's language and location allows for more effective social engineering, localized malware deployment, and better evasion strategies.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through some method.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ereg.exe\u003c/code\u003e with the \u003ccode\u003equery\u003c/code\u003e parameter to retrieve registry values.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCommandLine\u003c/code\u003e includes \u003ccode\u003equery\u003c/code\u003e and \u003ccode\u003eControl\\Nls\\Language\u003c/code\u003e to specify the target registry key.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ereg.exe\u003c/code\u003e queries the registry for system language settings under \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output of the \u003ccode\u003ereg query\u003c/code\u003e command to extract the installed system languages and regional settings.\u003c/li\u003e\n\u003cli\u003eThe discovered language information is used to customize subsequent stages of the attack, such as delivering localized payloads or avoiding specific regions.\u003c/li\u003e\n\u003cli\u003eThe attacker uses this information to make decisions about further actions on the compromised system, such as tailored payload deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful system language discovery allows attackers to understand the geographic location of the victim, enabling them to tailor attacks for specific regions. This can lead to more effective social engineering, the deployment of localized malware, or evasion of detection by avoiding systems in certain locales. While this activity itself doesn't cause direct harm, it serves as a crucial step in reconnaissance for a larger attack, potentially leading to data exfiltration, ransomware deployment, or other malicious outcomes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;System Language Discovery via Reg.Exe\u0026quot; to your SIEM to detect suspicious usage of \u003ccode\u003ereg.exe\u003c/code\u003e querying language settings (logsource: process_creation/windows).\u003c/li\u003e\n\u003cli\u003eInvestigate any process creations of \u003ccode\u003ereg.exe\u003c/code\u003e with command-line arguments containing both \u003ccode\u003equery\u003c/code\u003e and \u003ccode\u003eControl\\Nls\\Language\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process execution for command lines that contain 'reg.exe' and 'Control\\Nls\\Language' to identify potential reconnaissance activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:22:00Z","date_published":"2024-01-26T18:22:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-26-system-language-discovery/","summary":"Adversaries use reg.exe to query system language settings in order to determine the geographic location of victims, customize payloads, or evade detection by avoiding certain locales.","title":"System Language Discovery via Reg.Exe","url":"https://feed.craftedsignal.io/briefs/2024-01-26-system-language-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed - Reg.exe","version":"https://jsonfeed.org/version/1.1"}