<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>System-Language - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/system-language/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 26 Jan 2024 18:22:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/system-language/feed.xml" rel="self" type="application/rss+xml"/><item><title>System Language Discovery via Reg.Exe</title><link>https://feed.craftedsignal.io/briefs/2024-01-26-system-language-discovery/</link><pubDate>Fri, 26 Jan 2024 18:22:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-26-system-language-discovery/</guid><description>Adversaries use reg.exe to query system language settings in order to determine the geographic location of victims, customize payloads, or evade detection by avoiding certain locales.</description><content:encoded><![CDATA[<p>Attackers may perform system language discovery to gather information about a compromised host. This information can be used to tailor attacks to specific geographic regions, customize payloads, or avoid targeting systems in certain locales to evade detection. This activity is typically performed using the <code>reg.exe</code> utility, a built-in Windows command-line tool for interacting with the registry. While not inherently malicious, the use of <code>reg.exe</code> to specifically query language settings (e.g., <code>Control\Nls\Language</code>) is a common technique used by threat actors during the reconnaissance phase of an attack. Understanding the target's language and location allows for more effective social engineering, localized malware deployment, and better evasion strategies.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access to the target system through some method.</li>
<li>The attacker executes <code>reg.exe</code> with the <code>query</code> parameter to retrieve registry values.</li>
<li>The <code>CommandLine</code> includes <code>query</code> and <code>Control\Nls\Language</code> to specify the target registry key.</li>
<li><code>reg.exe</code> queries the registry for system language settings under <code>HKLM\SYSTEM\CurrentControlSet\Control\Nls\Language</code>.</li>
<li>The attacker parses the output of the <code>reg query</code> command to extract the installed system languages and regional settings.</li>
<li>The discovered language information is used to customize subsequent stages of the attack, such as delivering localized payloads or avoiding specific regions.</li>
<li>The attacker uses this information to make decisions about further actions on the compromised system, such as tailored payload deployment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful system language discovery allows attackers to understand the geographic location of the victim, enabling them to tailor attacks for specific regions. This can lead to more effective social engineering, the deployment of localized malware, or evasion of detection by avoiding systems in certain locales. While this activity itself doesn't cause direct harm, it serves as a crucial step in reconnaissance for a larger attack, potentially leading to data exfiltration, ransomware deployment, or other malicious outcomes.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;System Language Discovery via Reg.Exe&quot; to your SIEM to detect suspicious usage of <code>reg.exe</code> querying language settings (logsource: process_creation/windows).</li>
<li>Investigate any process creations of <code>reg.exe</code> with command-line arguments containing both <code>query</code> and <code>Control\Nls\Language</code>.</li>
<li>Monitor process execution for command lines that contain 'reg.exe' and 'Control\Nls\Language' to identify potential reconnaissance activity.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>discovery</category><category>system-language</category><category>reg.exe</category></item></channel></rss>