Suspicious CodePage Switch Via CHCP

Aug 12, 2024 · attack.t1036 attack.defense-evasion ·

Detects a code page switch in command line or batch scripts to a rare language

Sigma rule (View on GitHub)

 1title: Suspicious CodePage Switch Via CHCP
 2id: c7942406-33dd-4377-a564-0f62db0593a3
 3status: test
 4description: Detects a code page switch in command line or batch scripts to a rare language
 5references:
 6    - https://learn.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
 7    - https://twitter.com/cglyer/status/1183756892952248325
 8author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
 9date: 2019-10-14
10modified: 2023-03-07
11tags:
12    - attack.t1036
13    - attack.defense-evasion
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\chcp.com'
20        CommandLine|endswith:
21            - ' 936'    # Chinese
22            # - ' 1256' # Arabic
23            - ' 1258'   # Vietnamese
24            # - ' 855'  # Russian
25            # - ' 866'  # Russian
26            # - ' 864'  # Arabic
27    condition: selection
28fields:
29    - ParentCommandLine
30falsepositives:
31    - Administrative activity (adjust code pages according to your organization's region)
32level: medium

References

Code Page Identifiers - Win32 apps

The following table defines the available code page identifiers.

Read More
x.com

Read More

Suspicious CodePage Switch Via CHCP

Sigma rule (View on GitHub)

References

Code Page Identifiers - Win32 apps

x.com

Related rules