The Chips N Crisp, unveiling the mysteries of chcp

‣

T@b1e 0F C0ntent5

Unveiling Hidden Commands

📢

Welcome to the third technical article, blue teamers! Today’s article isn’t about a well-known command, but rather a barely known one with significant impact on the offensive side. So, grab your bag of ships, sit down with your command line, and let’s begin detecting Windows secrets.

Delving into Lesser-Known Windows Secrets

Recently, I was investigating an incident, during the flow I created a table within the SIEM solution that displayed the attacker's _time, ProcessCommandLine, ParentProcessCommandLine, message, and more. I started analyzing the attacker's executed commands, which ranged from Active Directory enumerations to host enumerations and obfuscated PowerShell commands. However, one command that caught my attention was called Chcp.

Have you ever heard of the chcp command? I like to call it the "chips 'n' crisp" (Bro is delusional), but its main name is the code page. Now, let's dive into it. But first, let’s understand how the command line interprets the code we enter.

Command Line Demystified

When you write code in the command line, you're basically giving instructions to the computer's OS. The command line interpreter (CLI) processes these commands, into these sections.

You type a command and press Enter. The CLI reads this input.

$ ls

The CLI breaks down the command into parts, such as the command name and any arguments or options.
The CLI recognizes ls as a built-in command. It locates the ls executable and runs it. The ls command reads the current directory and retrieves the list of files and directories.
The result of the command is displayed on the console. This could be text, an error message, or something else, depending on the command and its execution, for our example it will list all data inside the current directory.

file1.txt  file2.txt  directory1  directory2

Decoding Console Code Pages: A Deep Dive into CHCP

The active console code page is a crucial aspect of how text is displayed and interpreted in the Windows command prompt.

A code page is essentially a set of character codes used to decode text. The default code page is determined by the Windows Locale, but you can change it using the CHCP command, which stands for Change Code Page.

📢

Windows Locale refers to regional settings that define the user's language, date/time format, currency, and sorting preferences.

Why Does It Matter? Unveiling the Importance of Code Pages

Character Display: The code page dictates which characters are displayed when you type in the command prompt. This is especially important when dealing with characters outside the standard ASCII range (0-127), like special symbols or characters from non-English languages.
Session Specific: Any changes made to the code page using CHCP are only for the current session. If you open a new command prompt, it will use the default code page unless you change it again.

Real-World Applications: How to Use CHCP Effectively

Simply type CHCP in the command prompt, and it will display the current active code page number.

C:\> CHCP
Active code page: 437

To change the code page, use CHCP followed by the code page number, For example, to change to code page 65001 (UTF-8), you would type:

C:\> CHCP 65001

This command changes the code page for the current session to 65001.

If you start another command prompt from within the current one, it will inherit the new code page. For instance:

C:\> CMD

The new command prompt window will use the code page 65001 set in the original session.

Top Code Pages You Should Know

Code Page	Country/ Region/ Language
`437`	United States (default code page in the US)
`850`	Multilingual (Latin I)
`852`	Slavic (Latin II)
`65000`	UTF-7
`65001`	UTF-8

Decoding Character Encoding Standards

ASCII: American Standard Code for Information Interchange, a 7-bit character encoding standard for text. Example: A is represented by 65.

UTF-8: Universal Character Set Transformation Format, a variable-length encoding for Unicode that uses 1 to 4 bytes. Example: A is represented by 65, and 😊 (smiling face) by F0 9F 98 8A.

When we say UTF-8 supports a range of up to 4 bytes, it means a character can be represented using up to 4 bytes (or 8 hexadecimal characters, since each byte is 2 hex characters).
For instance, an emoji like 😊 is encoded in UTF-8 using 4 bytes, which in hexadecimal is represented as 4 pairs of hex characters: F0 9F 98 8A.

Code Page Clues: Unmasking Attackers Through the `chcp` Command

An attacker exploits a Windows machine and executes the chcp command to query the current code page. For instance:

C:\> chcp

The system responds with:

C:\> Active code page: 437

Unveiling Locale Secrets

Attackers identify system locale settings (e.g., language, character encoding).
Knowing the code page ensures their scripts or malware run without encoding errors.

Crafting Region-Specific Payloads

A non-English code page (e.g., 850 for Western European languages) prompts attackers to use localized filenames, commands, or data formats.

Spotting Anomalies in Encoding Commands

Security tools can flag unusual usage of chcp during odd times or by suspicious processes.
Rare use by legitimate users makes it a potential red flag for malicious activity.

Turning Recon into a Defense Opportunity

Alerting on such behavior offers early insight into possible reconnaissance attempts.
Defenders can respond proactively to mitigate further malicious actions.

`IcedID` Detection through Code Page Change Monitoring

EDR agents detected chcp.exe being run by cmd.exe with specific command-line arguments. This activity can indicate malware, like IcedID, which uses this technique to determine the locale, language, or country of the compromised system. If malicious, this could lead to further system compromise and data exfiltration

Cracking the Code: MITRE ATT&CK

Resource Link: Command and Scripting Interpreter, Technique T1059 - Enterprise | MITRE ATT&CK®

`KQL` Command-Line Sleuth: Detecting Suspicious `CodePage` `IcedID` Switches via `CHCP`

We are going to write a Kusto Query Language (KQL) query to detect suspicious code page switches in command line.

SecurityEvent
| where ProcessName endswith "chcp.com"
| where CommandLine has_any (" 936", " 1258")
| project TimeGenerated, Computer, ProcessName, CommandLine, ParentCommandLine

Closing Thoughts

📢

I hope you found this article useful and enjoyed those chips and crisps! If you have any more questions or need further assistance, feel free to ask me on LinkedIn → www.linkedin.com

Written By: Sameer Fakhoury aka.semo