Techniques
Sample rules
CodePage Modification Via MODE.COM To Russian Language
- source: sigma
- technicques:
- t1036
Description
Detects a CodePage modification using the “mode.com” utility to Russian language. This behavior has been used by threat actors behind Dharma ransomware.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- ' con '
- ' cp '
- ' select='
CommandLine|endswith:
- =1251
- =866
selection_img:
- Image|endswith: \mode.com
- OriginalFileName: MODE.COM