From e9ed5f592cbda58f771b167471fbf2b71018f985 Mon Sep 17 00:00:00 2001
From: mlp1515 <69857628+mlp1515@users.noreply.github.com>
Date: Thu, 26 Aug 2021 12:48:59 +0000
Subject: [PATCH] Update sysmon_always_install_elevated_windows_installer.yml

French language settings
---
 .../sysmon_always_install_elevated_windows_installer.yml   | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
index 8d89e217b..4aa3afd03 100644
--- a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
+++ b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
@@ -4,6 +4,7 @@ description: This rule will looks for Windows Installer service (msiexec.exe) wh
 status: experimental
 author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 date: 2020/10/13
+modified: 2021/08/26
 references: 
     - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
 tags:
@@ -16,7 +17,9 @@ detection:
     integrity_level:
         IntegrityLevel: 'System'
     user:
-        User: 'NT AUTHORITY\SYSTEM'
+        User|startswith: 
+            - 'NT AUTHORITY\SYSTEM'
+            - 'AUTORITE NT\Sys' # French language settings
     image_1:
         Image|contains|all: 
             - '\Windows\Installer\'
@@ -34,4 +37,4 @@ fields:
 falsepositives:
     - System administrator Usage
     - Penetration test
-level: medium 
\ No newline at end of file
+level: medium