Question Analysis

DeviceProcessEvents | where ProcessCommandLine contains 'Get-WinSystemLocale'

DeviceProcessEvents | where FileName =~ "powershell.exe" | where ProcessCommandLine has_any ("Get-WinSystemLocale", "Get-Culture", "Get-UICulture") | extend CmdletUsed = case(ProcessCommandLine has "Get-WinSystemLocale", "Get-WinSystemLocale", ProcessCommandLine has "Get-Culture", "Get-Culture", ProcessCommandLine has "Get-UICulture", "Get-UICulture", "Unknown") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, CmdletUsed

DeviceProcessEvents | where ProcessCommandLine has "Get-Culture" or ProcessCommandLine has "CultureInfo" or ProcessCommandLine has "CultureInfo" | distinct ProcessCommandLine | take 10

DeviceProcessEvents | where InitiatingProcessFileName has_cs "powershell.exe" and (ProcessCommandLine has "Get-Culture" or ProcessCommandLine has "Get-UICulture" or ProcessCommandLine has "Get-WinSystemLocale" or ProcessCommandLine has "Get-WinUserLanguageList") | project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | order by Timestamp desc

DeviceProcessEvents | where ProcessCommandLine contains 'Get-Culture' or ProcessCommandLine contains 'Get-WinSystemLocale' | project TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId

DeviceProcessEvents | where FileName in~ ("powershell.exe","pwsh.exe","powershell_ise.exe") // Look for typical locale/UI language collection commands | where ProcessCommandLine has_any ( "Get-WinSystemLocale", "Get-Culture", "Get-UICulture", "[CultureInfo]::InstalledUICulture", "Get-WinUserLanguageList", "reg query", "Get-ItemProperty" ) // Extract the specific cmdlet/technique used for system locale | extend LocaleCmdlet = coalesce( extract(@"(?i)\b(Get-WinSystemLocale|Get-Culture|Get-UICulture|Get-WinUserLanguageList)\b", 1, ProcessCommandLine), iff(ProcessCommandLine has_cs "[CultureInfo]::InstalledUICulture", "[CultureInfo]::InstalledUICulture", ""), iff(ProcessCommandLine has "reg query" and ProcessCommandLine matches regex @"(?i)\\Control\\Nls\\Language", "reg query Nls\\Language", ""), iff(ProcessCommandLine has "Get-ItemProperty" and ProcessCommandLine matches regex @"(?i)\\Control\\Nls\\Language", "Get-ItemProperty Nls\\Language", "") ) | where isnotempty(LocaleCmdlet) | project TimeGenerated, DeviceName, AccountName, InitiatingProcessAccountName, FileName, ProcessCommandLine, LocaleCmdlet | order by TimeGenerated desc

union DeviceProcessEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) | extend cmdline = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessCommandLine) // look for common cmdlets/expressions used to get locale/UI language | where cmdline has_any ("Get-WinSystemLocale", "Get-Culture", "Get-WinUserLanguageList", "Get-UICulture", "InstalledUICulture") | extend DetectedCmdlet = extract(@"(?i)\b(Get-WinSystemLocale|Get-Culture|Get-WinUserLanguageList|Get-UICulture|InstalledUICulture)\b", 1, cmdline) | project TimeGenerated, DeviceName, DeviceId, AccountName, InitiatingProcessAccountName, InitiatingProcessFileName, ProcessId, cmdline, DetectedCmdlet | order by TimeGenerated desc | take 50

union isfuzzy=true DeviceProcessEvents, DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceRegistryEvents | extend CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, '') | where isnotempty(CommandLine) // Focus on PowerShell (classic and pwsh) | where tolower(CommandLine) contains "powershell" or tolower(CommandLine) contains "pwsh" // Extract known locale/culture cmdlets and common access patterns | extend MatchedCmdlet = extract(@"(?i)\b(Get-WinSystemLocale|Get-Culture|Get-UICulture|Get-WinUserLanguageList|Get-UserPreferredUILanguages|Get-ItemPropertyValue|Get-ItemProperty|Get-Item|Get-ChildItem|Get-Content|reg\s+query|InstalledUICulture|CurrentCulture|CultureInfo)\b", 1, CommandLine) // Also capture registry access patterns that indicate locale queries (HKLM/HKEY_LOCAL_MACHINE paths with locale-related keys) | extend MatchedRegistry = extract(@"(?i)(HKLM:\\|HKEY_LOCAL_MACHINE\\)[^\r\n;]*?(InstallLanguage|InstallLocale|LocaleName|Locale|MUI|CurrentCulture|Nls|Language)[^\r\n;]*", 0, CommandLine) | where isnotempty(MatchedCmdlet) or isnotempty(MatchedRegistry) | project TimeGenerated, DeviceName, DeviceId, ReportId, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessId, ProcessId, MatchedCmdlet, MatchedRegistry, CommandLine | sort by TimeGenerated desc | take 200

union isfuzzy=true DeviceProcessEvents, DeviceEvents | extend ProcFile = tolower(coalesce(FileName, InitiatingProcessFileName)) | extend CmdLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | where ProcFile in ("powershell.exe", "pwsh.exe", "pwsh", "pwsh-preview.exe", "powershell7.exe") | where isnotempty(CmdLine) // Look for common PowerShell cmdlets / patterns that reveal system/UI locale | where CmdLine matches regex @"(?i)(Get-CultureInfo|Get-Culture|Get-UICultureInfo|Get-UICulture|Get-WinSystemLocale|Get-WinUserLanguageList|Get-ItemPropertyValue|Get-ItemProperty|Get-CimInstance|Get-WmiObject|gwmi|HKLM:\\(SYSTEM|System)\\CurrentControlSet\\Control\\Nls\\Locale|Nls\\Locale)" | extend MatchedCmdlet = extract(@"(?i)\b(Get-CultureInfo|Get-Culture|Get-UICultureInfo|Get-UICulture|Get-WinSystemLocale|Get-WinUserLanguageList|Get-ItemPropertyValue|Get-ItemProperty|Get-CimInstance|Get-WmiObject|gwmi)\b", 1, CmdLine) | project TimeGenerated, DeviceName, DeviceId, AccountName, InitiatingProcessAccountName, ProcFile, ProcessId = coalesce(ProcessId, InitiatingProcessId), CmdLine, MatchedCmdlet | sort by TimeGenerated desc | take 500

DeviceProcessEvents | where InitiatingProcessFileName in ('powershell.exe', 'pwsh.exe') | where ProcessCommandLine has_any ('Get-Culture', 'Get-UICulture', 'locale', 'language', 'region') | project DeviceName, Timestamp, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, AccountName | order by Timestamp desc

DeviceProcessEvents | where FileName == 'powershell.exe' | where ProcessCommandLine contains 'Get-Culture' or ProcessCommandLine contains 'Get-WinSystemLocale' | project Timestamp, DeviceName, ProcessCommandLine, AccountName | order by Timestamp desc

union DeviceEvents, DeviceFileEvents, DeviceImageLoadEvents, DeviceLogonEvents, DeviceNetworkEvents, DeviceProcessEvents, DeviceRegistryEvents | where TimeGenerated >= ago(7d) // Combine possible command line fields for different event types | extend FullCommandLine = coalesce(InitiatingProcessCommandLine, ProcessCommandLine, AdditionalFields.CommandLine) | where isnotempty(FullCommandLine) | where tolower(FullCommandLine) has "powershell" and tolower(FullCommandLine) has_any ("get-culture", "get-uiculture", "get-winsystemlocale", "locale") // Extract the relevant cmdlet name found | extend LocaleCmdlet = extract(@"(get-culture|get-uiculture|get-winsystemlocale|locale)", 0, tolower(FullCommandLine)) | project TimeGenerated, DeviceName, FullCommandLine, LocaleCmdlet, InitiatingProcessAccountName, InitiatingProcessAccountDomain | order by TimeGenerated desc

DeviceProcessEvents | where TimeGenerated >= ago(14d) // Adjust the time range as needed | where (InitiatingProcessCommandLine contains "powershell" or ProcessCommandLine contains "powershell" or InitiatingProcessCommandLine contains "pwsh" or ProcessCommandLine contains "pwsh") | where (InitiatingProcessCommandLine has_any ("Get-Culture","Get-UICulture","Get-WinSystemLocale","wmic os get locale","Get-CimInstance","Get-WmiObject","Win32_OperatingSystem") or ProcessCommandLine has_any ("Get-Culture","Get-UICulture","Get-WinSystemLocale","wmic os get locale","Get-CimInstance","Get-WmiObject","Win32_OperatingSystem")) | project TimeGenerated, DeviceId, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents // limit to PowerShell invocations | where FileName has_any ("powershell.exe", "pwsh.exe", "powershell_ise.exe") // look for commands that query the system locale | where ProcessCommandLine has_any ("Get-WinSystemLocale", "Get-Culture") // extract the exact cmdlet that was used | extend LocaleCmdlet = extract(@"(?i)(Get-WinSystemLocale|Get-Culture)", 1, ProcessCommandLine) | where isnotempty(LocaleCmdlet) | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, LocaleCmdlet | order by TimeGenerated desc

DeviceProcessEvents | where FileName in~ ("powershell.exe", "pwsh.exe") | where ProcessCommandLine matches regex @"(?i)Get-(Culture|UICulture|WinSystemLocale)" | extend Cmdlet = extract(@"(?i)(Get-(?:Culture|UICulture|WinSystemLocale))", 1, ProcessCommandLine) | summarize Count = count(), SampleCommandLine = any(ProcessCommandLine) by Cmdlet | order by Count desc