The detection rule targets the use of the Windows command-line utility CHCP (Change Code Page) during unauthorized discovery activities associated with threat actors, specifically APT28 (Fancy Bear). CHCP is commonly used to display or set the active console's code page, thus revealing information about the system's locale and language settings. In this rule, the focus is on identifying instances where the CHCP command is executed without parameters, indicating potential reconnaissance by an attacker, particularly when executed by a non-system account with a parent process of cmd or PowerShell. By monitoring these specific execution patterns, the rule aims to detect malicious discovery activities—especially associated with IcedID and Conti ransomware incidents. The logic is designed for Splunk and utilizes Sysmon event data, filtering for specific process names and user accounts to isolate suspicious behavior.