rule: modified the default

2024-11-07 09:48:58 +00:00 · 2019-10-14 17:50:48 +02:00 · 2019-10-14 17:50:48 +02:00 · 0e2284a176
commit 0e2284a176
parent 312311494d
1 changed files with 5 additions and 5 deletions
--- a/rules/windows/process_creation/win_susp_codepage_switch.yml
+++ b/rules/windows/process_creation/win_susp_codepage_switch.yml
@ -14,14 +14,14 @@ detection:
        Image: '*\chcp.com'
        CommandLine: 
            - '* 936'  # Chinese
-            - '* 1256' # Arabic
+            # - '* 1256' # Arabic
            - '* 1258' # Vietnamese
-            - '* 855'  # Russian
-            - '* 866'  # Russian
-            - '* 864'  # Arabic
+            # - '* 855'  # Russian
+            # - '* 866'  # Russian
+            # - '* 864'  # Arabic
    condition: selection
 fields:
    - ParentCommandLine
 falsepositives:
-    - Administrative activity of foreign staff
+    - "Administrative activity (adjust code pages according to your organisation's region)"
 level: medium