CHCP executed
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
|---|---|---|---|---|
CHCP executed | Standard | Sysmon, Windows | Execution: Command and Scripting Interpreter - PowerShell (T1059.001) | Attention |
About the rule
Rule Type
Standard
Rule Description
This analytic detects potential malware activity (e.g., IcedID) by monitoring for the execution of chcp.exe. It is used to change the active code page, which malware can exploit to gather system information (e.g., locale, language) for reconnaissance.
Why this rule?
CHCP (Change Code Page) execution is an environmental reconnaissance technique used by malware families like IcedID, Emotet, TrickBot, and ransomware operators to identify system locale, language settings, and regional configurations before payload deployment. Attackers use this information to avoid infecting systems in certain countries (particularly former Soviet states), customize attack payloads for specific regions, determine optimal encryption targets, and evade sandbox detection environments that don't match target geographies.While chcp.exe is a legitimate Windows utility, its execution outside normal administrative contexts indicates automated malware performing system fingerprinting as part of the initial infection chain before credential theft, lateral movement, or ransomware deployment.
Severity
Attention
Rule journey
Attack chain scenario
Execution → CHCP Execution → System Information Gathering → Reconnaissance.
Impact
System reconnaissance enabling tailored malware deployment based on system configuration.
Rule Requirement
Prerequisites
Enable Process Creation auditing (Event ID 4688) or Sysmon Event ID 1.
Criteria
Action1:
actionname = "DETECTION_ACTION_AWS_RDS_CLUSTER_OR_INSTANCE_MODIFIED" AND (REQUESTPARAMETERS contains "masterUserPassword" AND isNotExist(ERRORMESSAGE) AND EVENTSOURCE = "rds.amazonaws.com")
select Action1.CALLER,Action1.HOSTNAME,Action1.IPADDRESS,Action1.LOG_EVENT_NAME,Action1.SOURCE,Action1.SOURCE_REGION,Action1.REQUESTPARAMETERS
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Execution: Command and Scripting Interpreter - PowerShell (T1059.001)
Future actions
Known False Positives
Few applications and IT admin might perform this action, recommended to add exceptions as required.
Next Steps
- Identification: Identify the parent process that spawned chcp.exe.
- Analysis: Determine if this is part of a malware execution chain.
- Response: Investigate associated processes and network activity.
Mitigation
ID | Mitigation | Description |
|---|---|---|
Anti-virus can be used to automatically quarantine suspicious files. | ||
Set PowerShell execution policy to execute only signed scripts. | ||
It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution. | ||
Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., Add-Type).[342] | ||
When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.[343] PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.[344] |
