From 4f49f03460e2e92d5482b3d4e8600c756c8e3bb1 Mon Sep 17 00:00:00 2001
From: mlp1515 <69857628+mlp1515@users.noreply.github.com>
Date: Thu, 26 Aug 2021 12:46:15 +0000
Subject: [PATCH] Update sysmon_abusing_debug_privilege.yml

French language settings
---
 .../process_creation/sysmon_abusing_debug_privilege.yml       | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml
index 399103d25..041bba07a 100644
--- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml
+++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml
@@ -28,7 +28,9 @@ detection:
             - '\powershell.exe'
             - '\cmd.exe'
     selection3:
-            User: 'NT AUTHORITY\SYSTEM'
+            User|startswith: 
+                - 'NT AUTHORITY\SYSTEM'
+                - 'AUTORITE NT\Sys' # French language settings
     filter:
            CommandLine|contains|all:
            - ' route '