LoFP / administrative activity (adjust code pages according to your organization's region)

Techniques

• t1036

Sample rules

Suspicious CodePage Switch Via CHCP

• source: sigma
• technicques:
  • t1036

Description

Detects a code page switch in command line or batch scripts to a rare language

Detection logic

condition: selection
selection:
  CommandLine|endswith:
  - ' 936'
  - ' 1258'
  Image|endswith: \chcp.com