CodePage Modification Via Mode.com

    Wednesday, December 4, 2024 In: Threat Research Print

    Date: 12/03/2024

    Severity: Low

    Summary

    Detects a CodePage modification performed using the "mode.com" utility, a technique previously utilized by threat actors associated with Dharma ransomware.

    Indicators of Compromise (IOC) List

    Image :

    '\mode.com'

    OriginalFileName :

    'MODE.COM'

    CommandLine :

    - ' con '

    - ' cp '

    - ' select='

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    		(resourcename = "Windows Security"  AND eventtype = "4688"  ) AND processname like "mode.com"  AND (commandline like "con" and commandline like "cp" and commandline like "select=")

    Detection Query 2 :

    		technologygroup = "EDR"  AND processname like "mode.com"  AND (commandline like "con" and commandline like "cp" and commandline like "select=")

    Reference:  

    https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_mode_codepage_change.yml


    Tags

    MalwareSigmaRansomwareDharma

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.