CHCP CodePage Locale Lookup
Detects use of chcp to look up the system locale value as part of host discovery
Sigma rule (View on GitHub)
1title: CHCP CodePage Locale Lookup
2id: dfbdd206-6cf2-4db9-93a6-0b7e14d5f02f
3status: experimental
4description: Detects use of chcp to look up the system locale value as part of host discovery
5author: _pete_0, TheDFIRReport
6references:
7 - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
8 - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
9date: 2022/02/21
10modified: 2022/02/21
11logsource:
12 category: process_creation
13 product: windows
14detection:
15 selection:
16 Image|endswith:
17 - '\chcp.com'
18 CommandLine|endswith:
19 - 'chcp'
20 ParentImage|endswith:
21 - '\cmd.exe'
22 ParentCommandLine|contains:
23 - '/c'
24 condition: selection
25fields:
26 - CommandLine
27 - ParentCommandLine
28falsepositives:
29 - Unknown
30level: high
31tags:
32 - attack.discovery
33 - attack.t1614.001
References
-
In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector to eventually deploy Conti Ransomware.
Read More
Related rules
- Emotet Child Process Spawn Pattern
- Cisco Sniffing
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
- Automated Collection Bookmarks Using Get-ChildItem PowerShell
- Powershell Suspicious Win32_PnPEntity