diff --git a/rules/windows/process_creation/win_susp_codepage_switch.yml b/rules/windows/process_creation/win_susp_codepage_switch.yml
index 6b68d66dc..bf33cd53e 100644
--- a/rules/windows/process_creation/win_susp_codepage_switch.yml
+++ b/rules/windows/process_creation/win_susp_codepage_switch.yml
@@ -2,7 +2,7 @@ title: Suspicious Code Page Switch
 id: c7942406-33dd-4377-a564-0f62db0593a3
 status: experimental
 description: Detects a code page switch in command line or batch scripts to a rare language
-author: Florian Roth
+author: Florian Roth, Jonhnathan Ribeiro
 date: 2019/10/14
 references:
     - https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers
@@ -12,13 +12,15 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine: 
-            - 'chcp* 936'  # Chinese
-            # - 'chcp* 1256' # Arabic
-            - 'chcp* 1258' # Vietnamese
-            # - 'chcp* 855'  # Russian
-            # - 'chcp* 866'  # Russian
-            # - 'chcp* 864'  # Arabic
+        CommandLine|contains|all: 
+            - 'chcp'
+        CommandLine|endswith:
+            - ' 936'  # Chinese
+            # - ' 1256' # Arabic
+            - ' 1258' # Vietnamese
+            # - ' 855'  # Russian
+            # - ' 866'  # Russian
+            # - ' 864'  # Arabic
     condition: selection
 fields:
     - ParentCommandLine