# T1614 - System Location Discovery
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1614)
Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as GetLocaleInfoW can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance's availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)
Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)
## Atomic Tests
- [Atomic Test #1 - Get geolocation info through IP-Lookup services using curl Windows](#atomic-test-1---get-geolocation-info-through-ip-lookup-services-using-curl-windows)
- [Atomic Test #2 - Get geolocation info through IP-Lookup services using curl freebsd, linux or macos](#atomic-test-2---get-geolocation-info-through-ip-lookup-services-using-curl-freebsd-linux-or-macos)
## Atomic Test #1 - Get geolocation info through IP-Lookup services using curl Windows
Get geolocation info through IP-Lookup services using curl Windows. The default URL of the IP-Lookup service is https://ipinfo.io/. References: https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
**Supported Platforms:** Windows
**auto_generated_guid:** fe53e878-10a3-477b-963e-4367348f5af5
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ip_lookup_url | URL of the IP-Lookup service | url | https://ipinfo.io/|
| curl_path | path to curl.exe | path | C:\Windows\System32\Curl.exe|
#### Attack Commands: Run with `command_prompt`!
```cmd
#{curl_path} -k #{ip_lookup_url}
```
#### Dependencies: Run with `powershell`!
##### Description: Curl must be installed on system.
##### Check Prereq Commands:
```powershell
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://curl.se/windows/dl-8.4.0_6/curl-8.4.0_6-win64-mingw.zip" -Outfile "PathToAtomicsFolder\..\ExternalPayloads\curl.zip"
Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\curl.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\curl"
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\curl\curl-8.4.0_6-win64-mingw\bin\curl.exe" C:\Windows\System32\Curl.exe
```
## Atomic Test #2 - Get geolocation info through IP-Lookup services using curl freebsd, linux or macos
Get geolocation info through IP-Lookup services using curl Windows. The default URL of the IP-Lookup service is https://ipinfo.io/. References: https://securelist.com/transparent-tribe-part-1/98127/ and https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
**Supported Platforms:** macOS, Linux
**auto_generated_guid:** 552b4db3-8850-412c-abce-ab5cc8a86604
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ip_lookup_url | URL of the IP-Lookup service | url | https://ipinfo.io/|
#### Attack Commands: Run with `bash`!
```bash
curl -k #{ip_lookup_url}
```