sameer fakhoury
  • Home
  • CTF Writeups
  • Course Summaries
  • Cyber Reports
  • Articles
  • Event Notes
  • About Me
The Chips N Crisp, unveiling the mysteries of chcp

The Chips N Crisp, unveiling the mysteries of chcp

โ€ฃ

T@b1e 0F C0ntent5

Unveiling Hidden Commands

๐Ÿ“ข

Welcome to the third technical article, blue teamers! Todayโ€™s article isnโ€™t about a well-known command, but rather a barely known one with significant impact on the offensive side. So, grab your bag of ships, sit down with your command line, and letโ€™s begin detecting Windows secrets.

Delving into Lesser-Known Windows Secrets

Recently, I was investigating an incident, during the flow I created a table within the SIEM solution that displayed the attacker's _time, ProcessCommandLine, ParentProcessCommandLine, message, and more. I started analyzing the attacker's executed commands, which ranged from Active Directory enumerations to host enumerations and obfuscated PowerShell commands. However, one command that caught my attention was called Chcp.

Have you ever heard of the chcp command? I like to call it the "chips 'n' crisp" (Bro is delusional), but its main name is the code page. Now, let's dive into it. But first, letโ€™s understand how the command line interprets the code we enter.

image

Command Line Demystified

When you write code in the command line, you're basically giving instructions to the computer's OS. The command line interpreter (CLI) processes these commands, into these sections.

  1. You type a command and press Enter. The CLI reads this input.
    2. $ ls
  2. The CLI breaks down the command into parts, such as the command name and any arguments or options.
  3. The CLI recognizes ls as a built-in command. It locates the ls executable and runs it. The ls command reads the current directory and retrieves the list of files and directories.
  4. The result of the command is displayed on the console. This could be text, an error message, or something else, depending on the command and its execution, for our example it will list all data inside the current directory.
    5. file1.txt  file2.txt  directory1  directory2

Decoding Console Code Pages: A Deep Dive into CHCP

The active console code page is a crucial aspect of how text is displayed and interpreted in the Windows command prompt.

A code page is essentially a set of character codes used to decode text. The default code page is determined by the Windows Locale, but you can change it using the CHCP command, which stands for Change Code Page.

๐Ÿ“ข

Windows Locale refers to regional settings that define the user's language, date/time format, currency, and sorting preferences.

image

Why Does It Matter? Unveiling the Importance of Code Pages

  • Character Display: The code page dictates which characters are displayed when you type in the command prompt. This is especially important when dealing with characters outside the standard ASCII range (0-127), like special symbols or characters from non-English languages.
  • Session Specific: Any changes made to the code page using CHCP are only for the current session. If you open a new command prompt, it will use the default code page unless you change it again.

Real-World Applications: How to Use CHCP Effectively

  1. Simply type CHCP in the command prompt, and it will display the current active code page number.
    2. C:\> CHCP
Active code page: 437
  2. To change the code page, use CHCP followed by the code page number, For example, to change to code page 65001 (UTF-8), you would type:
      3. C:\> CHCP 65001
    1. This command changes the code page for the current session to 65001.
  3. If you start another command prompt from within the current one, it will inherit the new code page. For instance:
      4. C:\> CMD
    1. The new command prompt window will use the code page 65001 set in the original session.
image

Top Code Pages You Should Know

Code Page
Country/ Region/ Language
437
United States (default code page in the US)
850
Multilingual (Latin I)
852
Slavic (Latin II)
65000
UTF-7
65001
UTF-8

Decoding Character Encoding Standards

ASCII: American Standard Code for Information Interchange, a 7-bit character encoding standard for text. Example: A is represented by 65.

UTF-8: Universal Character Set Transformation Format, a variable-length encoding for Unicode that uses 1 to 4 bytes. Example: A is represented by 65, and ๐Ÿ˜Š (smiling face) by F0 9F 98 8A.

  • When we say UTF-8 supports a range of up to 4 bytes, it means a character can be represented using up to 4 bytes (or 8 hexadecimal characters, since each byte is 2 hex characters).
  • For instance, an emoji like ๐Ÿ˜Š is encoded in UTF-8 using 4 bytes, which in hexadecimal is represented as 4 pairs of hex characters: F0 9F 98 8A.
image

Code Page Clues: Unmasking Attackers Through the chcp Command

An attacker exploits a Windows machine and executes the chcp command to query the current code page. For instance:

C:\> chcp

The system responds with:

C:\> Active code page: 437

Unveiling Locale Secrets

  • Attackers identify system locale settings (e.g., language, character encoding).
  • Knowing the code page ensures their scripts or malware run without encoding errors.

Crafting Region-Specific Payloads

  • A non-English code page (e.g., 850 for Western European languages) prompts attackers to use localized filenames, commands, or data formats.

Spotting Anomalies in Encoding Commands

  • Security tools can flag unusual usage of chcp during odd times or by suspicious processes.
  • Rare use by legitimate users makes it a potential red flag for malicious activity.

Turning Recon into a Defense Opportunity

  • Alerting on such behavior offers early insight into possible reconnaissance attempts.
  • Defenders can respond proactively to mitigate further malicious actions.
image

IcedID Detection through Code Page Change Monitoring

EDR agents detected chcp.exe being run by cmd.exe with specific command-line arguments. This activity can indicate malware, like IcedID, which uses this technique to determine the locale, language, or country of the compromised system. If malicious, this could lead to further system compromise and data exfiltration

Cracking the Code: MITRE ATT&CK

Resource Link:
Command and Scripting Interpreter, Technique T1059 - Enterprise | MITRE ATT&CKยฎCommand and Scripting Interpreter, Technique T1059 - Enterprise | MITRE ATT&CKยฎ

KQL Command-Line Sleuth: Detecting Suspicious CodePage IcedID Switches via CHCP

We are going to write a Kusto Query Language (KQL) query to detect suspicious code page switches in command line.

SecurityEvent
| where ProcessName endswith "chcp.com"
| where CommandLine has_any (" 936", " 1258")
| project TimeGenerated, Computer, ProcessName, CommandLine, ParentCommandLine
image

Closing Thoughts

๐Ÿ“ข

I hope you found this article useful and enjoyed those chips and crisps! If you have any more questions or need further assistance, feel free to ask me on LinkedIn โ†’

www.linkedin.com

Written By: Sameer Fakhoury aka.semo

ยฉsameer fakhoury

GitHubLinkedIn