This detection rule identifies suspicious changes to code pages in Windows command line or batch scripts, specifically targeting less common code page settings that could indicate evasion techniques by malicious actors. The rule analyzes process creation events for instances where the command line of a process executing 'chcp.com' ends with infrequent code page identifiers such as '936' (Simplified Chinese) and '1258' (Vietnamese). These code pages are not typically associated with standard administrative tasks, hence their activation could signal an attempt to utilize localized scripts to evade detection mechanisms by blending in with legitimate system processes. The rule is designed to aid in recognizing potential misuse of the code page functionality, which is a technique that can be exploited for injection and command execution in compromised environments.