LoFP / discord was seen using chcp to look up code pages

Techniques

Sample rules

Console CodePage Lookup Via CHCP

source: sigma
technicques:
- t1614
- t1614.001

Description

Detects use of chcp to look up the system locale value as part of host discovery

Detection logic

condition: selection
selection:
  CommandLine|endswith:
  - chcp
  - 'chcp '
  - 'chcp  '
  Image|endswith: \chcp.com
  ParentCommandLine|contains|windash:
  - ' -c '
  - ' -r '
  - ' -k '
  ParentImage|endswith: \cmd.exe