AN1562: Analytic 1562
Processes executing commands to query system locale and language settings, such as 'locale', 'echo $LANG', or parsing environment variables. Suspicious activity is indicated by these commands being run by unusual users, automation scripts, or non-administrative processes.
Analyst context for executives and security teams
This analytic is about spotting Linux processes that query system locale or language settings, such as running `locale`, checking `$LANG`, or parsing related environment variables. For leaders, the value is not that these commands are inherently malicious; they are common and often benign. The decision value is whether the organization can distinguish normal administrative or application behavior from unusual execution by unexpected users, automation, or non-administrative processes.
Executive priority
Prioritize this as a coverage-validation item for Linux monitoring and SOC triage quality rather than as a standalone high-severity signal. It can support incident decision-making when paired with other suspicious activity, because locale and language discovery may indicate environment awareness. Executives and security leaders should ask whether Linux endpoint telemetry captures process ancestry, user context, command-line detail, and environment-variable access well enough to explain who ran the command, from where, and whether it fits approved operations.
Technical view
SOC and detection teams should validate visibility for Linux process execution involving locale and language-setting queries, including `locale`, `echo $LANG`, and parsing of environment variables. Because ATT&CK provides no formal detection logic for this analytic, teams should treat it as a behavioral hypothesis: alert or enrich when these commands are executed by unusual users, automation scripts, or non-administrative processes. Process parentage, execution path, user identity, script context, and timing are important to separate routine configuration checks from activity that deserves correlation with other signals.
Likely telemetry
- Linux process execution events with command-line arguments
- User and effective-user context for process launches
- Parent/child process relationships
- Shell and automation script execution logs where available
- Environment-variable usage or shell command history where collected
Detection direction
- Baseline expected locale and language-setting queries on Linux systems before treating them as suspicious.
- Tune for unusual users, automation scripts, or non-administrative processes as described by the ATT&CK analytic.
- Correlate with process ancestry and nearby activity rather than relying on `locale` or `$LANG` access alone.
- Review false positives from login scripts, application startup routines, configuration management, localization testing, and administrative troubleshooting.
- Identify blind spots where Linux command-line logging, script visibility, or user attribution is incomplete.
Mitigation priorities
- Ensure Linux endpoint logging captures process command lines, parent process, and user context sufficient for SOC review.
- Define expected administrative, application, and automation behavior for locale and language checks on key Linux systems.
- Apply least-privilege and script governance so non-administrative processes and automation have clear ownership and expected behavior.
- Use this analytic as an enrichment or correlation signal in incident response playbooks rather than as a standalone determination of malicious activity.
Analyst notes and limits
The supplied ATT&CK object is a detection analytic for Linux and does not specify tactics, related techniques, mitigations, or relationships. Its strongest use is as a practical validation of Linux process telemetry and behavioral baselining around locale/language discovery commands.
Official detection content was not provided, and no relationship context was supplied. Local baselines are required to determine what is unusual; the listed commands are commonly legitimate and should not be treated as malicious by themselves.
Analytic 1562
Processes executing commands to query system locale and language settings, such as 'locale', 'echo $LANG', or parsing environment variables. Suspicious activity is indicated by these commands being run by unusual users, automation scripts, or non-administrative processes.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7693ffe38e37… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1562Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.