CHCP CodePage Locale Lookup

calendar Jan 8, 2023 · attack.discovery attack.t1614.001  ·
Share on: linkedin copy

Detects use of chcp to look up the system locale value as part of host discovery

Sigma rule (View on GitHub)

 1title: CHCP CodePage Locale Lookup
 2id: dfbdd206-6cf2-4db9-93a6-0b7e14d5f02f
 3status: experimental
 4description: Detects use of chcp to look up the system locale value as part of host discovery
 5author: _pete_0, TheDFIRReport
 6references:
 7  - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
 8  - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
 9date: 2022/02/21
10modified: 2022/02/21
11logsource:
12  category: process_creation
13  product: windows
14detection:
15  selection:
16    Image|endswith:
17      - '\chcp.com'
18    CommandLine|endswith:
19      - 'chcp'
20    ParentImage|endswith:
21      - '\cmd.exe'
22    ParentCommandLine|contains:
23      - '/c'
24  condition: selection
25fields:
26  - CommandLine
27  - ParentCommandLine
28falsepositives:
29  - Unknown
30level: high
31tags:
32  - attack.discovery
33  - attack.t1614.001

References

  • Stolen Images Campaign Ends in Conti Ransomware

    In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam ca…


    Read More

  • chcp

    Reference article for the chcp command, which changes the active console code page.


    Read More

Related rules

to-top