Threat Huntlowtest

CodePage Modification Via MODE.COM

Detects a CodePage modification using the "mode.com" utility. This behavior has been used by threat actors behind Dharma ransomware.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems), Joseliyo SanchezCreated Fri Jan 19d48c5ffa-3b02-4c0f-9a9e-3c275650dd0ewindows

Hunting Hypothesis

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith: '\mode.com'
        - OriginalFileName: 'MODE.COM'
    selection_cli:
        CommandLine|contains|all:
            - ' con '
            - ' cp '
            - ' select='
    condition: all of selection_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0005 · Defense Evasion

Techniques

T1036 · Masquerading

Other

detection.threat-hunting

Related Rules

DerivedDetectionmedium

CodePage Modification Via MODE.COM To Russian Language

Detects a CodePage modification using the "mode.com" utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e

Status

test

Level

low

Type

Threat Hunt

Created

Fri Jan 19

Author

Nasreddine Bencherchali (Nextron Systems), Joseliyo Sanchez

Path

rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml

Raw Tags

attack.defense-evasionattack.t1036detection.threat-hunting

View on GitHub