Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumexperimental

System Language Discovery via Reg.Exe

Detects the usage of Reg.Exe to query system language settings. Attackers may discover the system language to determine the geographic location of victims, customize payloads for specific regions, or avoid targeting certain locales to evade detection.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Marco Pedrinazzi (InTheCyber)Created Fri Jan 09c43a5405-e8e1-4221-9ac9-dbe3fa14e886windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\reg.exe'
        - OriginalFileName: 'reg.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'query'
            - 'Control\Nls\Language'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
scythe.io
Testing & Validation

Simulations

atomic-red-teamT1614.001
View on ART

Discover System Language by Registry Query

GUID: 631d4cf1-42c9-4209-8fe9-6bd4de9421be

Regression Tests

by Marco Pedrinazzi (@pedrinazziM) (InTheCyber)
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Rule Metadata
Rule ID
c43a5405-e8e1-4221-9ac9-dbe3fa14e886
Status
experimental
Level
medium
Type
Detection
Created
Fri Jan 09
Author
Marco Pedrinazzi (InTheCyber)
Path
rules/windows/process_creation/proc_creation_win_reg_system_language_discovery.yml
Raw Tags
attack.discoveryattack.t1614.001
View on GitHub