So you finished writing your perfect threat hunting query. <\/p>\n\n\n\n
Done and dusted, right?<\/p>\n\n\n\n
Hmm, sorry… chances are, it is… broken.<\/p>\n\n\n\n
How come? <\/p>\n\n\n\n
One reason, but it has many acronyms: L10N, T9N, I18N or G11N.<\/p>\n\n\n\n
If you are mostly dealing with English-centric versions of the operating systems you may now stop reading. But… You will be missing out.<\/p>\n\n\n\n
Why? <\/p>\n\n\n\n
THERE ARE OTHER LANGUAGES OUT THERE. And they come with a luggage…<\/p>\n\n\n\n
The acronyms listed earlier expand into:<\/p>\n\n\n\n
They define a different world. The world that is quite esoteric to monoglots. The world that embraces the world of ‘other languages in use’. The whole lot of new devices ‘suddenly in scope’, too. The world of foreigners who do not use English as their MAIN language. Most of Europe really. Many places in the world, REALLY!<\/p>\n\n\n\n
In this world, your c:\\Program Files becomes… an item from this table<\/a>.<\/p>\n\n\n\n Pfff… and suddenly, all your queries relying on hard-coded ‘program files’ string need to be adjusted. <\/p>\n\n\n\n You are welcome! \ud83d\ude42<\/p>\n\n\n\n And it’s not the only artifact that changes. <\/p>\n\n\n\n What about ‘New folder”? This thread<\/a> shows some examples of “New Folder” string represented in various languages:<\/p>\n\n\n\n And again, this is just one of many ‘not so subtle’ localization changes to the OS that affects the way you should be writing your threat hunting queries or doing your DFIR engagement. And yes, it complicates things A LOT. And yes, Hebrew, Arabic, Chinese and Japanese versions of these do exist as well, and they complicate things even more.<\/p>\n\n\n\n Where does it leave us?<\/p>\n\n\n\n Simple answer: pay attention. More responsible answer: explore the environment & adjust queries as per need. <\/p>\n\n\n\n As long as your results generating framework\/language supports Unicode you should be seeing these localized “things”, but only IF YOU EXPECT THEM. Once you see them, bundle them together and use them as a template, f.ex. use combos like this for a c:\\program files folder name:<\/p>\n\n\n\n These are not all the possibilities, of course, but they are good enough to make us all ‘aware’. <\/p>\n\n\n\n Going forward, we will all be localizing our queries. Oui?<\/p>\n","protected":false},"excerpt":{"rendered":" So you finished writing your perfect threat hunting query. Done and dusted, right? Hmm, sorry… chances are, it is… broken. How come? One reason, but it has many acronyms: L10N, T9N, I18N or G11N. If you are mostly dealing with … Continue reading \"\\Program Files\",\n\"\\Programme\",\n\"\\Archivos de programa\",\n\"\\Programmes\",\n\"\\Programmi\",\n\"\\Arquivos de Programas\",\n\"\\Programmer\",\n\"\\Programfiler\",\n\"\\Fisiere Program\"<\/pre>\n\n\n\n