Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0043: Detection Strategy for System Location Discovery

DET0043 is a MITRE detection strategy for identifying System Location Discovery behavior, where an adversary gathers clues about a host’s geographic locati...

EnterpriseDET0043Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0043 is a MITRE detection strategy for identifying System Location Discovery behavior, where an adversary gathers clues about a host’s geographic location. This matters because location checks can influence what the adversary does next, including whether to continue, fully infect a target, or choose specific follow-on actions. For leaders, the practical question is whether SOC and IR teams can see early discovery activity across Windows, Linux, macOS, and IaaS environments before it becomes a broader incident.

Executive priority

Treat this as an early-stage discovery signal that supports incident triage and control validation rather than a standalone proof of compromise. It is relevant to business resilience because adversaries may use host location context to decide whether and how to proceed. Security leaders should ask whether endpoint and cloud monitoring can preserve enough evidence to explain suspicious location-related checks during an investigation, and whether that evidence is available for audit, incident response, and managed detection workflows.

Technical view

The supplied ATT&CK object has no official detection text or platform field of its own, but it detects T1614 System Location Discovery, which is associated with the Discovery tactic and IaaS, Linux, macOS, and Windows platforms. SOC and detection teams should validate visibility into processes, commands, scripts, and system API or configuration queries that inspect location-related host attributes such as time zone and keyboard layout. In IaaS environments, teams should also confirm whether cloud and workload telemetry can distinguish normal administrative inventory from unusual discovery activity tied to suspicious sessions or process lineage.

Likely telemetry

  • Endpoint process creation and command-line telemetry on Windows, Linux, and macOS
  • Script execution logs and shell history where collected and policy-appropriate
  • System configuration or API access events related to time zone and keyboard layout checks
  • EDR telemetry showing parent-child process relationships around discovery activity
  • Cloud/IaaS workload telemetry and audit logs that can place discovery behavior in account, instance, or session context

Detection direction

  • Validate whether existing discovery detections include location-related checks, not only network, user, or host enumeration.
  • Tune detections around context: time zone or keyboard layout queries can be benign during setup, software installation, inventory, localization, and support activity.
  • Prioritize correlation with suspicious process lineage, newly observed binaries or scripts, abnormal user sessions, or other discovery behaviors related to T1614.
  • Check for blind spots on non-Windows endpoints and IaaS workloads, since the related technique spans Windows, Linux, macOS, and IaaS.
  • Ensure alerts preserve enough evidence for IR: host, user, process tree, command/script content where available, timestamp, and cloud/account context.

Mitigation priorities

  • First, ensure logging and endpoint telemetry are enabled consistently across Windows, Linux, macOS, and IaaS workloads in scope.
  • Next, baseline legitimate administrative and software behaviors that query time zone, keyboard layout, or similar location indicators.
  • Use least privilege, controlled administration paths, and managed scripting practices to reduce unauthorized discovery opportunities and improve attribution of activity.
  • Integrate detection outputs into incident response playbooks so location-discovery signals are investigated alongside other discovery and execution evidence.
  • Review coverage as part of managed detection, cloud security, and compliance-readiness assessments, especially where audit evidence depends on proving visibility into early adversary behavior.
Analyst notes and limits

The relationship to T1614 is the main source of analytic value. The detection strategy object itself does not provide an official description, detection logic, tactics, or platforms. Therefore, this take frames DET0043 as a coverage and validation prompt for System Location Discovery rather than as a complete analytic specification.

No official detection text, data sources, analytics, or mitigations were supplied for DET0043. Platform and tactic context comes only from the related T1614 technique. Local environment baselines are required to separate normal localization, administration, and inventory activity from suspicious discovery behavior.

Official MITRE ATT&CK definition

Detection Strategy for System Location Discovery

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1614 System Location Discovery This object detects System Location Discovery.
Relationship explorer

All related ATT&CK context

detects · Technique T1614: System Location Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2bddda9bd7bd9f10...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2bddda9bd7bd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0043
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use