Suspicious CodePage Switch Via CHCP
Detects a code page switch in command line or batch scripts to a rare language
Sigma rule (View on GitHub)
1title: Suspicious CodePage Switch Via CHCP
2id: c7942406-33dd-4377-a564-0f62db0593a3
3status: test
4description: Detects a code page switch in command line or batch scripts to a rare language
5references:
6 - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
7 - https://twitter.com/cglyer/status/1183756892952248325
8author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
9date: 2019-10-14
10modified: 2023-03-07
11tags:
12 - attack.t1036
13 - attack.defense-evasion
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\chcp.com'
20 CommandLine|endswith:
21 - ' 936' # Chinese
22 # - ' 1256' # Arabic
23 - ' 1258' # Vietnamese
24 # - ' 855' # Russian
25 # - ' 866' # Russian
26 # - ' 864' # Arabic
27 condition: selection
28fields:
29 - ParentCommandLine
30falsepositives:
31 - Administrative activity (adjust code pages according to your organization's region)
32level: medium
References
Related rules
- CreateDump Process Dump
- DumpMinitool Execution
- Explorer Process Tree Break
- Findstr Launching .lnk File
- HackTool - XORDump Execution