AN0120: Analytic 0120

Detection of commands accessing locale, timezone, or language settings such as 'locale', 'timedatectl', or parsing /etc/timezone. Anomalous execution by unusual users or automation scripts should be flagged.

EnterpriseAN0120AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

This analytic is about noticing Linux processes that query locale, timezone, or language settings, such as running `locale` or `timedatectl` or reading `/etc/timezone`. By itself, this can be normal administration or application behavior, but unusual use by unexpected users or automation can be a useful early signal that activity on a host deserves review.

Executive priority

Treat this as a low-noise context signal rather than a standalone incident trigger. Its value is in SOC and incident-response readiness: can the organization prove which Linux users, services, or scripts are collecting environment information, and can analysts distinguish approved automation from anomalous host activity? This supports control validation, audit evidence for Linux monitoring, and faster triage when investigating suspicious sessions or scripts.

Technical view

For Linux environments, validate whether process execution telemetry captures command names, command lines, user context, parent process, host, timestamp, and whether execution was interactive or automated. Detection logic should focus on access to locale, timezone, or language settings, including commands such as `locale` and `timedatectl` and reads or parsing of `/etc/timezone`. Because ATT&CK does not provide a formal detection query for this object, teams should build local baselines and prioritize anomalies involving unusual users, unexpected parent processes, or automation scripts that do not normally perform this behavior.

Likely telemetry

Linux process creation events with command-line arguments
User and session context for local, remote, and service account activity
Parent-child process relationships for shells, scripts, cron jobs, and systemd services
File access or command activity involving `/etc/timezone` where available
Automation logs from scheduled tasks, service units, or orchestration scripts

Detection direction

Baseline expected locale, timezone, and language-setting queries by administrators, applications, and approved automation.
Alert on executions by unusual users, service accounts, or scripts that do not normally query these settings.
Tune for common benign sources such as system startup, configuration management, localization-aware applications, and administrative troubleshooting.
Correlate with surrounding host activity rather than treating the command alone as malicious.
Check for blind spots where Linux command-line logging, parent process data, or automation context is missing.

Mitigation priorities

Ensure Linux endpoint or audit logging captures process execution with sufficient command-line and user context.
Document approved automation and administrative workflows that legitimately access locale or timezone settings.
Apply least-privilege and change-control practices to service accounts and scripts so unexpected execution is easier to identify.
Use this analytic as a triage enrichment signal within broader detection and incident-response workflows, not as a standalone prevention control.

Analyst notes and limits

The supplied ATT&CK object is a detection analytic, not a technique, and no tactic or relationship context was provided. The practical value comes from validating Linux visibility and anomaly handling around environment-discovery style behavior.

Official detection logic was not provided, and the object only specifies Linux. No relationships, adversary usage, impact, or active exploitation context were supplied, so local baselines and environment-specific telemetry are required to determine significance.

Official MITRE ATT&CK definition

Analytic 0120

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: 8a04fa45c632023e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`8a04fa45c632…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack AN0120
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use