From cce7cfc79af8e7667e8a0a25d2d7f44e43be890e Mon Sep 17 00:00:00 2001
From: mlp1515 <69857628+mlp1515@users.noreply.github.com>
Date: Thu, 26 Aug 2021 12:51:45 +0000
Subject: [PATCH] Update win_tool_psexec.yml

French language settings
---
 rules/windows/other/win_tool_psexec.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml
index 22a4d3da1..250429d10 100644
--- a/rules/windows/other/win_tool_psexec.yml
+++ b/rules/windows/other/win_tool_psexec.yml
@@ -5,7 +5,7 @@ status: experimental
 description: Detects PsExec service installation and execution events (service and Sysmon)
 author: Thomas Patzke
 date: 2017/06/12
-modified: 2021/08/06
+modified: 2021/08/26
 references:
     - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
     - https://jpcertcc.github.io/ToolAnalysisResultSheet
@@ -46,7 +46,9 @@ logsource:
 detection:
     sysmon_processcreation:
         Image|endswith: '\PSEXESVC.exe'
-        User: 'NT AUTHORITY\SYSTEM'
+        User|startswith: 
+            - 'NT AUTHORITY\SYSTEM'
+            - 'AUTORITE NT\Sys' # French language settings
 ---
 logsource:
      category: pipe_created