This detection rule identifies instances where the Windows command `chcp` (Change Code Page) is executed, particularly focusing on its use in host discovery scenarios. The primary method of detection is based on monitoring process creation events, specifically when `chcp.com` is invoked as a child process of `cmd.exe`. The rule looks for specific command-line parameters that precede `chcp`, indicating potential malicious or reconnaissance activity. False positives are acknowledged, including legitimate uses during Python's Anaconda updates or applications like Discord that utilize `chcp` for legitimate purposes, making it important to refine the detection context. The rule is classified with a medium severity level, indicating that while it warrants attention, it may not be an immediate threat. Captured command contexts provide insight into user or actor behaviors that may indicate attempts to enumerate system locale and recognized code pages, which are potentially used for further attacks or privilege escalation.