CAPEC-694 System Location Discovery

CAPEC ID: 694

CAPEC-694 Metadata

Likelihood of Attack

High

Typical Severity

Very Low

Overview

Summary

An adversary collects information about the target system in an attempt to identify the system's geographical location. Information gathered could include keyboard layout, system language, and timezone. This information may benefit an adversary in confirming the desired target and/or tailoring further attacks.

Prerequisites

The adversary must have some level of access to the system and have a basic understanding of the operating system in order to query the appropriate sources for relevant information.

Execution Flow

Step Phase Description Techniques
1 Explore [System Locale Information Discovery] The adversary examines system information from various sources such as registry and native API functions and correlates the gathered information to infer the geographical location of the target system
  • Registry Query: Query the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Language\Language_Dialect on Windows to obtain system language, Computer\HKEY_CURRENT_USER\Keyboard Layout\Preload to obtain the hexadecimal language IDs of the current user's preloaded keyboard layouts, and Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation to obtain the system timezone configuration
  • Native API Requests: Parse the outputs of Windows API functions GetTimeZoneInformation, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID to obtain information about languages, keyboard layouts, and timezones installed on the system or on macOS or Linux systems, query locale to obtain the $LANG environment variable and view keyboard layout information or use timeanddatectl status to show the system clock settings.
  • Read Configuration Files: For macOS and Linux-based systems, view the /etc/vconsole.conf file to get information about the keyboard mapping and console font.

Potential Solutions / Mitigations

To reduce the amount of information gathered, one could disable various geolocation features of the operating system not required for system operation.

Related Weaknesses (CWE)

CWE ID Description
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

Related CAPECs

CAPEC ID Description
CAPEC-169 An adversary engages in probing and exploration activities to identify constituents and properties of the target.

Taxonomy Mappings

Taxonomy: ATTACK

Entry ID Entry Name
1614 System Language Discovery

Stay Ahead of Attack Patterns

Understanding CAPEC patterns helps security professionals anticipate and thwart potential attacks. Leverage these insights to enhance threat modeling, strengthen your software development lifecycle, and train your security teams effectively.