Find sigma rule 
Attack: System Location Discovery: System Language Discovery
Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)
There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions.(Citation: CrowdStrike Ryuk January 2019)
For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language or parsing the outputs of Windows API functions GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetKeyboardLayoutList and GetUserDefaultLangID.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018)
On a macOS or Linux system, adversaries may query locale to retrieve the value of the $LANG environment variable.
MITRE
Tactic
- discovery
technique
- T1614.001
Test : Discover System Language by Environment Variable Query
OS
- linux
Description:
Identify System language by checking the environment variables
Upon successful execution, the 5 character locale result can be looked up to
correlate the language and territory. Environment query commands are likely
to run with a pattern match command e.g. env | grep LANG
Note: env and printenv will usually provide the same results. set is
also used as a builtin command that does not generate syscall telemetry but
does provide a list of the environment variables.
Executor
sh