Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0119: Analytic 0119

Unusual process or API usage attempting to query system locale, timezone, or keyboard layout (e.g., calls to GetLocaleInfoW, GetTimeZoneInformation). Detection can be enhanced by correlating with processes not typically associated with system configuration queries, such as unknown binaries or scripts.

EnterpriseAN0119AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because locale, timezone, and keyboard-layout checks can help software understand where it is running. In a security context, unusual Windows processes making these queries may be an early clue that an unknown binary or script is profiling the environment before deciding what to do next. For leaders, the value is not that every locale query is suspicious; it is whether the SOC can distinguish normal system and application behavior from unexpected reconnaissance-like activity.

Executive priority

Treat this as a coverage-validation item for Windows endpoint visibility and SOC triage quality. The business question is whether teams can see and investigate unusual process or API usage tied to system configuration queries, especially from unknown binaries or scripts. This supports incident decision-making, audit evidence for endpoint monitoring, and prioritization of controls around script execution, unknown software, and endpoint telemetry quality.

Technical view

Validate that Windows endpoint telemetry can identify processes or API activity attempting to query system locale, timezone, or keyboard layout, including examples such as GetLocaleInfoW and GetTimeZoneInformation. Because no ATT&CK tactic or relationship context is supplied, detection should be framed as behavior enrichment rather than a standalone high-confidence alert. SOC teams should baseline processes normally associated with system configuration queries and raise priority when the activity comes from unknown binaries, scripts, or otherwise unusual parent/child process context.

Likely telemetry

  • Windows process creation telemetry, including image path, command line, parent process, user, and signing or reputation context where available
  • Endpoint detection telemetry that records or enriches API usage such as locale, timezone, or keyboard-layout queries
  • Script execution telemetry for Windows scripting hosts and command interpreters
  • File and binary metadata for unknown executables, including hash, path, signer, and first-seen timing
  • Host inventory or application baseline data to distinguish expected software from unusual processes

Detection direction

  • Baseline normal Windows and business-application use of locale, timezone, and keyboard-layout queries to reduce noise.
  • Correlate configuration-query behavior with processes not typically associated with those queries, especially unknown binaries or scripts, as stated in the official analytic description.
  • Avoid treating API usage alone as conclusive; use process lineage, user context, file metadata, prevalence, and adjacent endpoint events to determine priority.
  • Tune for false positives from legitimate installers, localization-aware applications, administrative tools, and software that adapts to regional settings.
  • Use this analytic as an enrichment signal in broader investigations when other suspicious process, script, or file activity is present.

Mitigation priorities

  • Ensure Windows endpoint logging and EDR coverage are sufficient to capture process execution and relevant API or behavioral telemetry.
  • Maintain an application and script baseline so unusual binaries or scripts can be identified quickly.
  • Strengthen controls around execution of unknown binaries and scripts, using existing application control, least privilege, and endpoint hardening programs where appropriate.
  • Document alert logic, triage criteria, and evidence retention so the SOC can show monitoring coverage during compliance or readiness reviews.
  • Test detections with benign validation methods that confirm telemetry visibility without relying on offensive procedures.
Analyst notes and limits

This ATT&CK object is a detection analytic, not a technique. It provides a Windows platform scope and a concise behavior description, but no official detection logic, tactics, or relationship context. The most useful implementation is likely correlation-based: combine process/API observations with rarity, script or binary trust, and local baselines.

The supplied object does not provide ATT&CK tactics, related techniques, data components, mitigations, or detection pseudocode. Local environment baselining is required to determine what is unusual, and API-level visibility may vary by endpoint tooling. This take does not assert active exploitation, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Analytic 0119

Unusual process or API usage attempting to query system locale, timezone, or keyboard layout (e.g., calls to GetLocaleInfoW, GetTimeZoneInformation). Detection can be enhanced by correlating with processes not typically associated with system configuration queries, such as unknown binaries or scripts.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a3dda4fd572bf3e9...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a3dda4fd572b…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0119
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use