Console CodePage Lookup Via CHCP

Detects use of chcp to look up the system locale value as part of host discovery

Sigma rule (View on GitHub)

 1title: Console CodePage Lookup Via CHCP
 2id: 7090adee-82e2-4269-bd59-80691e7c6338
 3status: experimental
 4description: Detects use of chcp to look up the system locale value as part of host discovery
 5references:
 6    - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
 7    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
 8author: _pete_0, TheDFIRReport
 9date: 2022/02/21
10modified: 2024/03/05
11tags:
12    - attack.discovery
13    - attack.t1614.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        ParentImage|endswith: '\cmd.exe'
20        ParentCommandLine|contains|windash:
21            - ' -c '
22            - ' -r '
23            - ' -k '
24        Image|endswith: '\chcp.com'
25        CommandLine|endswith:
26            - 'chcp'
27            - 'chcp '
28            - 'chcp  '
29    condition: selection
30falsepositives:
31    - During Anaconda update the 'conda.exe' process will eventually execution the 'chcp' command.
32    - Discord was seen using chcp to look up code pages
33level: medium

References

Related rules

to-top