Question Analysis

DeviceProcessEvents | where FileName =~ "cmd.exe" | where ProcessCommandLine has "chcp" | project Timestamp, DeviceName, ProcessCommandLine

DeviceProcessEvents | where FileName == 'cmd.exe' and ProcessCommandLine contains 'chcp'

DeviceProcessEvents | where FileName == 'cmd.exe' and (ProcessCommandLine contains 'systeminfo' or ProcessCommandLine contains 'chcp') | project DeviceName, AccountName, ProcessCommandLine, TimeGenerated

DeviceProcessEvents | where FileName =~ "cmd.exe" | where ProcessCommandLine has_any ("chcp", "Get-WinSystemLocale", "systeminfo", "locale") | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine

DeviceProcessEvents | where (InitiatingProcessFileName =~ "cmd.exe" and InitiatingProcessCommandLine has "chcp") or (InitiatingProcessFileName =~ "powershell.exe" and InitiatingProcessCommandLine has "chcp.exe") | project InitiatingProcessCommandLine | summarize make_set(InitiatingProcessCommandLine)

DeviceProcessEvents | where FileName == "cmd.exe" | where ProcessCommandLine contains "chcp" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents | where FileName == "cmd.exe" | where ProcessCommandLine has "chcp" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine, ProcessCommandLine

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName =~ "cmd.exe" // Code page / locale discovery via cmd | where ProcessCommandLine matches regex @"(?i)(\bchcp(\.com)?\b|\breg(\.exe)?\s+query\s+[^\r\n]*\\Control\\Nls\\CodePage\b|\bwmic(\.exe)?\s+os\s+get\s+code(set|page)\b)" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine | order by TimeGenerated desc

// Search DeviceProcessEvents and DeviceEvents for cmd.exe launches that retrieve the system locale/code page let localeKeywords = dynamic(["chcp","Get-Culture","systeminfo","wmic","LocaleName","Locale","Get-WinSystemLocale","Get-Culture","reg query"]); union isfuzzy=true ( DeviceProcessEvents | where isnotempty(FileName) and (FileName =~ "cmd.exe" or ProcessCommandLine contains_cs "cmd.exe") | extend CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine) | project TimeGenerated, DeviceName, FileName, ProcessId, CommandLine, AccountName, AccountDomain = AccountDomain, ProcessCreationTime ), ( DeviceEvents | where isnotempty(FileName) and (FileName =~ "cmd.exe" or ProcessCommandLine contains_cs "cmd.exe" or InitiatingProcessFileName =~ "cmd.exe") | extend CommandLine = coalesce(ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessCommandLine) | project TimeGenerated, DeviceName, FileName, ProcessId, CommandLine, AccountName, AccountDomain = AccountDomain, ProcessCreationTime ) | where isnotempty(CommandLine) // filter for common locale/code-page discovery commands invoked from cmd.exe | where CommandLine has_any ("chcp","/c chcp","/c systeminfo","/c wmic","/c powershell","systeminfo","wmic","Get-Culture","LocaleName","reg query") | extend MatchedKeyword = case( CommandLine has "chcp", "chcp", CommandLine has "Get-Culture", "Get-Culture", CommandLine has "systeminfo", "systeminfo", CommandLine has "wmic", "wmic", CommandLine has "LocaleName", "LocaleName", CommandLine has "reg query", "reg query", "other" ) | project TimeGenerated, DeviceName, AccountDomain, AccountName, FileName, ProcessId, ProcessCreationTime, CommandLine, MatchedKeyword | order by TimeGenerated desc | distinct DeviceName, CommandLine, TimeGenerated, ProcessId, AccountName, AccountDomain, MatchedKeyword, ProcessCreationTime

let locale_terms = dynamic(["chcp","wmic os get locale","get-culture","get-winsystemlocale","get-uiculture","reg query hklm\\system\\currentcontrolset\\control\\nls","[console]::inputencoding","get-winuserlanguagelist","system.language"]); union (DeviceProcessEvents | extend SourceTable = "DeviceProcessEvents"), (DeviceEvents | extend SourceTable = "DeviceEvents") | where isnotempty(ProcessCommandLine) or isnotempty(InitiatingProcessCommandLine) or isnotempty(FileName) or isnotempty(InitiatingProcessFileName) | extend fn = tolower(coalesce(FileName, "")), ipfn = tolower(coalesce(InitiatingProcessFileName, "")), pcmd = tolower(coalesce(ProcessCommandLine, "")), ipcmd = tolower(coalesce(InitiatingProcessCommandLine, "")) // Narrow to events where cmd.exe is involved (as file or in a commandline) | where fn has "cmd.exe" or ipfn has "cmd.exe" or pcmd has "cmd.exe" or ipcmd has "cmd.exe" // Keep events that contain any of the known locale-checking terms | where pcmd has_any (locale_terms) or ipcmd has_any (locale_terms) | extend MatchedCommand = case( pcmd has "chcp" or ipcmd has "chcp", "chcp", pcmd has "wmic os get locale" or ipcmd has "wmic os get locale", "wmic os get locale", pcmd has "get-culture" or ipcmd has "get-culture", "Get-Culture", pcmd has "get-winsystemlocale" or ipcmd has "get-winsystemlocale", "Get-WinSystemLocale", pcmd has "get-uiculture" or ipcmd has "get-uiculture", "Get-UICulture", (pcmd has "reg query" and pcmd has "nls") or (ipcmd has "reg query" and ipcmd has "nls"), "reg query NLS Locale", pcmd has "[console]::inputencoding" or ipcmd has "[console]::inputencoding", "[console]::InputEncoding", "other") | project TimeGenerated, Timestamp, SourceTable, DeviceName, DeviceId, AccountName, AccountDomain = coalesce(AccountDomain, InitiatingProcessAccountDomain), FileName, ProcessId, ProcessCreationTime, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessCreationTime, MatchedCommand | sort by TimeGenerated desc | take 200

DeviceProcessEvents | where FileName has_cs "cmd.exe" or InitiatingProcessFileName has_cs "cmd.exe" | where ProcessCommandLine has_cs "chcp" or ProcessCommandLine has_cs "Get-WinSystemLocale" or ProcessCommandLine has_cs "Get-Culture" or ProcessCommandLine contains "systeminfo" and ProcessCommandLine contains "Locale" or ProcessCommandLine contains "reg query" and (ProcessCommandLine contains "LocaleName" or ProcessCommandLine contains "InstallLanguage" or ProcessCommandLine contains "Nls") or InitiatingProcessCommandLine has_cs "chcp" or InitiatingProcessCommandLine has_cs "Get-WinSystemLocale" or InitiatingProcessCommandLine has_cs "Get-Culture" or InitiatingProcessCommandLine contains "systeminfo" and InitiatingProcessCommandLine contains "Locale" or InitiatingProcessCommandLine contains "reg query" and (InitiatingProcessCommandLine contains "LocaleName" or InitiatingProcessCommandLine contains "InstallLanguage" or InitiatingProcessCommandLine contains "Nls") | project TimeGenerated, DeviceName, FileName, ProcessId, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain | extend MatchType = case( ProcessCommandLine has_cs "chcp" or ProcessCommandLine has_cs "Get-WinSystemLocale" or ProcessCommandLine has_cs "Get-Culture" or (ProcessCommandLine contains "systeminfo" and ProcessCommandLine contains "Locale") or (ProcessCommandLine contains "reg query" and (ProcessCommandLine contains "LocaleName" or ProcessCommandLine contains "InstallLanguage" or ProcessCommandLine contains "Nls")), "Process", InitiatingProcessCommandLine has_cs "chcp" or InitiatingProcessCommandLine has_cs "Get-WinSystemLocale" or InitiatingProcessCommandLine has_cs "Get-Culture" or (InitiatingProcessCommandLine contains "systeminfo" and InitiatingProcessCommandLine contains "Locale") or (InitiatingProcessCommandLine contains "reg query" and (InitiatingProcessCommandLine contains "LocaleName" or InitiatingProcessCommandLine contains "InstallLanguage" or InitiatingProcessCommandLine contains "Nls")), "InitiatingProcess", "Other") | sort by TimeGenerated desc | take 100

DeviceProcessEvents | where (InitiatingProcessFileName contains "cmd.exe" or FileName contains "cmd.exe" or InitiatingProcessCommandLine contains "cmd.exe" or ProcessCommandLine contains "cmd.exe") | where (InitiatingProcessCommandLine contains "chcp" or ProcessCommandLine contains "chcp") | extend CmdLine = tostring(coalesce(InitiatingProcessCommandLine, ProcessCommandLine)) | project TimeGenerated, DeviceName, CmdLine | sort by TimeGenerated desc | take 100

DeviceProcessEvents | where tolower(InitiatingProcessFileName) contains "cmd.exe" | where InitiatingProcessCommandLine has_any ("chcp","wmic os get oslangu","get-locale","get-culture","oslanguage") | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessCommandLine

DeviceProcessEvents | where FileName contains 'cmd.exe' | where ProcessCommandLine contains 'chcp' or ProcessCommandLine contains 'locale' or ProcessCommandLine contains 'language' | project DeviceName, AccountName, ProcessCommandLine, TimeGenerated | order by TimeGenerated desc

DeviceProcessEvents | where FileName == 'cmd.exe' | where ProcessCommandLine contains 'chcp' | project ProcessCommandLine, TimeGenerated, DeviceName | order by TimeGenerated desc | limit 10

DeviceProcessEvents | where ActionType == "ProcessCreated" | where FileName == "cmd.exe" | where ProcessCommandLine has "chcp" | project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, SHA256, ReportId | order by TimeGenerated desc

DeviceProcessEvents | where ActionType =~ "CreateProcess" or ActionType =~ "ProcessCreated" | where FileName =~ "cmd.exe" | where ProcessCommandLine has "chcp" | project TimeGenerated, DeviceName, FolderPath, ProcessCommandLine | order by TimeGenerated desc

// Windows process creation – identifying cmd.exe commands that query locale / code-page DeviceProcessEvents | where FileName =~ "cmd.exe" // limit to interactive shell launches // ---- locale / code-page discovery primitives ------------------------ | where ProcessCommandLine has_any ( "wmic os get locale", // returns numeric locale identifier "wmic os get codeset", // returns the code-page value "wmic os get codepage", // synonym of the above "chcp", // change / display active code page "systeminfo" // can be combined with findstr to extract locale ) or ProcessCommandLine matches regex @"findstr\s+.*Locale" // e.g. systeminfo | findstr /B /C:"System Locale" // --------------------------------------------------------------------- | project TimeGenerated, DeviceName, Account = strcat(AccountDomain, "\\", AccountName), ProcessCommandLine // Group identical command lines so we can see which exact command(s) were run | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), ExecCount = count() by DeviceName, Account, ProcessCommandLine | order by LastSeen desc

DeviceProcessEvents | where FileName =~ "cmd.exe" | where ProcessCommandLine has "chcp" | project TimeGenerated, DeviceName, ProcessCommandLine | order by TimeGenerated desc

DeviceProcessEvents | where FileName =~ "cmd.exe" | where tolower(ProcessCommandLine) contains "chcp" | project TimeGenerated, DeviceName, FileName, ProcessCommandLine | limit 10

DeviceProcessEvents | where FileName == "cmd.exe" | where ProcessCommandLine has "chcp" | project TimeGenerated, DeviceName, InitiatingProcessAccountName, ProcessCommandLine | sort by TimeGenerated desc

DeviceProcessEvents | where FileName == "cmd.exe" | where ProcessCommandLine contains "chcp" | project ProcessCreationTime, DeviceName, AccountName, ProcessCommandLine