Suspicious CodePage Switch Via CHCP

 1title: Suspicious CodePage Switch Via CHCP
 2id: c7942406-33dd-4377-a564-0f62db0593a3
 3status: test
 4description: Detects a code page switch in command line or batch scripts to a rare language
 5references:
 6    - https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
 7    - https://twitter.com/cglyer/status/1183756892952248325
 8author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
 9date: 2019/10/14
10modified: 2023/03/07
11tags:
12    - attack.t1036
13    - attack.defense_evasion
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        Image|endswith: '\chcp.com'
20        CommandLine|endswith:
21            - ' 936'    # Chinese
22            # - ' 1256' # Arabic
23            - ' 1258'   # Vietnamese
24            # - ' 855'  # Russian
25            # - ' 866'  # Russian
26            # - ' 864'  # Arabic
27    condition: selection
28fields:
29    - ParentCommandLine
30falsepositives:
31    - Administrative activity (adjust code pages according to your organization's region)
32level: medium

References

• Code Page Identifiers - Win32 apps

  

  The following table defines the available code page identifiers.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Renamed ZOHO Dctask64 Execution
• Process Creation With Double File Extension
• Suspicious Command Line Containing Right-to-Left Override
• Bumblebee WmiPrvSE execution pattern
• Suspicious Use of Rcedit Utility to Alter Executable Metadata