Console CodePage Lookup Via CHCP

 1title: Console CodePage Lookup Via CHCP
 2id: 7090adee-82e2-4269-bd59-80691e7c6338
 3status: experimental
 4description: Detects use of chcp to look up the system locale value as part of host discovery
 5references:
 6    - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
 7    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
 8author: _pete_0, TheDFIRReport
 9date: 2022-02-21
10modified: 2024-03-05
11tags:
12    - attack.discovery
13    - attack.t1614.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        ParentImage|endswith: '\cmd.exe'
20        ParentCommandLine|contains|windash:
21            - ' -c '
22            - ' -r '
23            - ' -k '
24        Image|endswith: '\chcp.com'
25        CommandLine|endswith:
26            - 'chcp'
27            - 'chcp '
28            - 'chcp  '
29    condition: selection
30falsepositives:
31    - During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.
32    - Discord was seen using chcp to look up code pages
33level: medium

References

• Stolen Images Campaign Ends in Conti Ransomware

  

  In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam ca…

  
  Read More

• chcp

  

  Reference article for the chcp command, which changes the active console code page.

  
  Read More

Related rules

• CHCP CodePage Locale Lookup
• AADInternals PowerShell Cmdlets Execution - ProccessCreation
• AADInternals PowerShell Cmdlets Execution - PsScript
• AD Groups Or Users Enumeration Using PowerShell - PoshModule
• AD Groups Or Users Enumeration Using PowerShell - ScriptBlock