New to CAPEC? Start Here
Home > CAPEC List > CAPEC-694: System Location Discovery (Version 3.8)  

CAPEC-694: System Location Discovery

Attack Pattern ID: 694
Abstraction: Standard
Presentation Filter:
+ Description

An adversary collects information about the target system in an attempt to identify the system's geographical location.

Information gathered could include keyboard layout, system language, and timezone. This information may benefit an adversary in confirming the desired target and/or tailoring further attacks.

+ Likelihood Of Attack

High

+ Typical Severity

Very Low

+ Relationships
Section HelpThis table shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.
NatureTypeIDName
ChildOfMeta Attack PatternMeta Attack Pattern - A meta level attack pattern in CAPEC is a decidedly abstract characterization of a specific methodology or technique used in an attack. A meta attack pattern is often void of a specific technology or implementation and is meant to provide an understanding of a high level approach. A meta level attack pattern is a generalization of related group of standard level attack patterns. Meta level attack patterns are particularly useful for architecture and design level threat modeling exercises.169Footprinting
Section HelpThis table shows the views that this attack pattern belongs to and top level categories within that view.
+ Execution Flow
Explore
  1. System Locale Information Discovery: The adversary examines system information from various sources such as registry and native API functions and correlates the gathered information to infer the geographical location of the target system

    Techniques
    Registry Query: Query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Language\Language_Dialect on Windows to obtain system language, Computer\HKEY_CURRENT_USER\Keyboard Layout\Preload to obtain the hexadecimal language IDs of the current user's preloaded keyboard layouts, and Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation to obtain the system timezone configuration
    Native API Requests: Parse the outputs of Windows API functions GetTimeZoneInformation, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID to obtain information about languages, keyboard layouts, and timezones installed on the system or on macOS or Linux systems, query locale to obtain the $LANG environment variable and view keyboard layout information or use timeanddatectl status to show the system clock settings.
    Read Configuration Files: For macOS and Linux-based systems, view the /etc/vconsole.conf file to get information about the keyboard mapping and console font.
+ Prerequisites
The adversary must have some level of access to the system and have a basic understanding of the operating system in order to query the appropriate sources for relevant information.
+ Skills Required
[Level: Low]
The adversary must know how to query various system sources of information respective of the system's operating system to obtain the relevant information.
+ Resources Required
The adversary requires access to the target's operating system tools to query relevant system information. On windows, registry queries can be conducted with powershell, wmi, or regedit. On Linux or macOS, queries can be performed with through a shell.
+ Consequences
Section HelpThis table specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.
ScopeImpactLikelihood
Confidentiality
Read Data
+ Mitigations
To reduce the amount of information gathered, one could disable various geolocation features of the operating system not required for system operation.
+ Taxonomy Mappings
Relevant to the ATT&CK taxonomy mapping (also see parent)
Entry IDEntry Name
1614System Language Discovery
+ References
[REF-727] "Language-Specific Registry Entries". <https://learn.microsoft.com/en-us/previous-versions/windows/desktop/indexsrv/language-specific-registry-entries>. URL validated: 2018-05-31.
[REF-728] "winnls.h header". <https://learn.microsoft.com/en-us/windows/win32/api/winnls/>. URL validated: 2022-08-23.
[REF-729] "local (1p) - Linux Man Pages". <https://www.systutorials.com/docs/linux/man/1p-locale/>.
[REF-731] "timedatectl". <https://www.freedesktop.org/software/systemd/man/timedatectl.html>. URL validated: 2022-08-12.
+ Content History
Submissions
Submission DateSubmitterOrganization
2022-09-29
(Version 3.8)
CAPEC Content TeamThe MITRE Corporation
More information is available — Please select a different filter.
Page Last Updated or Reviewed: September 29, 2022