From 644397e65cd19999c7fbb7e2aa8d5ed90fd6207e Mon Sep 17 00:00:00 2001
From: mlp1515 <69857628+mlp1515@users.noreply.github.com>
Date: Thu, 26 Aug 2021 12:41:36 +0000
Subject: [PATCH] Update win_exploit_cve_2019_1388.yml

French language settings
---
 rules/windows/process_creation/win_exploit_cve_2019_1388.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
index c93f2113b..096c1994e 100644
--- a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
@@ -7,6 +7,7 @@ references:
     - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
 author: Florian Roth
 date: 2019/11/20
+modified: 2021/08/26
 tags:
     - attack.privilege_escalation
     - attack.t1068
@@ -21,7 +22,9 @@ detection:
     rights1:
         IntegrityLevel: 'System'  # for Sysmon users
     rights2: 
-        User: 'NT AUTHORITY\SYSTEM'  # for non-Sysmon users - English language settings
+        User|startswith: 
+            - 'NT AUTHORITY\SYSTEM'  # for non-Sysmon users - English language settings
+            - 'AUTORITE NT\Sys'  # French language settings
     condition: selection and ( rights1 or rights2 )
 falsepositives:
     - Unknown