From d80f73625fcdcd9d5aad8805572b4b261210070a Mon Sep 17 00:00:00 2001
From: Roberto Rodriguez <rrodri0622@gmail.com>
Date: Wed, 27 Oct 2021 01:22:19 -0400
Subject: [PATCH] Added the right System string to User filter

---
 .../process_creation/win_susp_child_process_as_system_.yml     | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_child_process_as_system_.yml b/rules/windows/process_creation/win_susp_child_process_as_system_.yml
index d7a31c2b7..241bcc8e8 100644
--- a/rules/windows/process_creation/win_susp_child_process_as_system_.yml
+++ b/rules/windows/process_creation/win_susp_child_process_as_system_.yml
@@ -22,8 +22,9 @@ detection:
         ParentUser:
             - 'NT AUTHORITY\NETWORK SERVICE'
             - 'NT AUTHORITY\LOCAL SERVICE'
+        User:
+            - 'NT AUTHORITY\SYSTEM'
             - 'AUTORITE NT\Sys' # French language settings
-        User: 'NT AUTHORITY\SYSTEM'
         IntegrityLevel: 'System'
     rundllexception:
         Image|endswith: '\rundll32.exe'