Suspicious CodePage Switch Via CHCP
Detects a code page switch in command line or batch scripts to a rare language
Sigma rule (View on GitHub)
1title: Suspicious CodePage Switch Via CHCP
2id: c7942406-33dd-4377-a564-0f62db0593a3
3status: test
4description: Detects a code page switch in command line or batch scripts to a rare language
5references:
6 - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
7 - https://twitter.com/cglyer/status/1183756892952248325
8author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
9date: 2019-10-14
10modified: 2023-03-07
11tags:
12 - attack.t1036
13 - attack.defense-evasion
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\chcp.com'
20 CommandLine|endswith:
21 - ' 936' # Chinese
22 # - ' 1256' # Arabic
23 - ' 1258' # Vietnamese
24 # - ' 855' # Russian
25 # - ' 866' # Russian
26 # - ' 864' # Arabic
27 condition: selection
28falsepositives:
29 - Administrative activity (adjust code pages according to your organization's region)
30level: medium
31regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch/info.yml
References
-
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Suspicious Computer Account Name Change CVE-2021-42287
- System File Execution Location Anomaly
- Explorer Process Tree Break
- Renamed ZOHO Dctask64 Execution
- Potential LSASS Process Dump Via Procdump