From 644397e65cd19999c7fbb7e2aa8d5ed90fd6207e Mon Sep 17 00:00:00 2001
From: mlp1515 <69857628+mlp1515@users.noreply.github.com>
Date: Thu, 26 Aug 2021 12:41:36 +0000
Subject: [PATCH 1/9] Update win_exploit_cve_2019_1388.yml

French language settings
---
 rules/windows/process_creation/win_exploit_cve_2019_1388.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
index c93f2113..096c1994 100644
--- a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml
@@ -7,6 +7,7 @@ references:
     - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege
 author: Florian Roth
 date: 2019/11/20
+modified: 2021/08/26
 tags:
     - attack.privilege_escalation
     - attack.t1068
@@ -21,7 +22,9 @@ detection:
     rights1:
         IntegrityLevel: 'System'  # for Sysmon users
     rights2: 
-        User: 'NT AUTHORITY\SYSTEM'  # for non-Sysmon users - English language settings
+        User|startswith: 
+            - 'NT AUTHORITY\SYSTEM'  # for non-Sysmon users - English language settings
+            - 'AUTORITE NT\Sys'  # French language settings
     condition: selection and ( rights1 or rights2 )
 falsepositives:
     - Unknown

From 7ad927f28eeb307d2f0a6b0dc48ab5f8a68926fe Mon Sep 17 00:00:00 2001
From: mlp1515 <69857628+mlp1515@users.noreply.github.com>
Date: Thu, 26 Aug 2021 12:42:47 +0000
Subject: [PATCH 2/9] Update win_wmiprvse_spawning_process.yml

French language settings
---
 .../process_creation/win_wmiprvse_spawning_process.yml      | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
index e0da3a8c..d3e6843f 100644
--- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
+++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml
@@ -3,7 +3,7 @@ id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
 description: Detects wmiprvse spawning processes
 status: experimental
 date: 2019/08/15
-modified: 2021/02/24
+modified: 2021/08/26
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
     - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html
@@ -23,7 +23,9 @@ detection:
         - SubjectLogonId:
             - '0x3e7'  # LUID 999 for SYSTEM
             - 'null'   # too many false positives
-        - User: 'NT AUTHORITY\SYSTEM'  # if we don't have LogonId data, fallback on username detection
+        - User|startswith: 
+            - 'NT AUTHORITY\SYSTEM'  # if we don't have LogonId data, fallback on username detection
+            - 'AUTORITE NT\Sys' # French language settings
         - Image|endswith: 
             - '\WmiPrvSE.exe'
             - '\WerFault.exe'

From 5545403a9bea797684912b8d5709c78f2284e888 Mon Sep 17 00:00:00 2001
From: mlp1515 <69857628+mlp1515@users.noreply.github.com>
Date: Thu, 26 Aug 2021 12:43:33 +0000
Subject: [PATCH 3/9] Update win_whoami_as_system.yml

French language settings
---
 rules/windows/process_creation/win_whoami_as_system.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/win_whoami_as_system.yml b/rules/windows/process_creation/win_whoami_as_system.yml
index 4fee1a9e..cdfa30d2 100644
--- a/rules/windows/process_creation/win_whoami_as_system.yml
+++ b/rules/windows/process_creation/win_whoami_as_system.yml
@@ -6,7 +6,7 @@ references:
     - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
 author: Teymur Kheirkhabarov
 date: 2019/10/23
-modified: 2019/11/11
+modified: 2021/08/26
 tags:
     - attack.privilege_escalation
     - attack.discovery    
@@ -16,7 +16,9 @@ logsource:
     product: windows
 detection:
     selection:
-        User: 'NT AUTHORITY\SYSTEM'
+        User|startswith: 
+            - 'NT AUTHORITY\SYSTEM'
+            - 'AUTORITE NT\Sys' # French language settings
         Image|endswith: '\whoami.exe'
     condition: selection
 falsepositives:

From 5f419d6f3524f8cfb9f2766be64a973034754555 Mon Sep 17 00:00:00 2001
From: mlp1515 <69857628+mlp1515@users.noreply.github.com>
Date: Thu, 26 Aug 2021 12:44:35 +0000
Subject: [PATCH 4/9] Update win_susp_taskmgr_localsystem.yml

French language settings
---
 .../process_creation/win_susp_taskmgr_localsystem.yml        | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml
index 4ac61fed..2ec58e2c 100644
--- a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml
+++ b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml
@@ -7,12 +7,15 @@ tags:
     - attack.t1036
 author: Florian Roth
 date: 2018/03/18
+modified: 2021/08/26
 logsource:
     category: process_creation
     product: windows
 detection:
     selection:
-        User: NT AUTHORITY\SYSTEM
+        User|startswith: 
+            - 'NT AUTHORITY\SYSTEM'
+            - 'AUTORITE NT\Sys' # French language settings
         Image|endswith: '\taskmgr.exe'
     condition: selection
 falsepositives:

From a31422db74d961235a78d03752912e80e49016c6 Mon Sep 17 00:00:00 2001
From: mlp1515 <69857628+mlp1515@users.noreply.github.com>
Date: Thu, 26 Aug 2021 12:45:24 +0000
Subject: [PATCH 5/9] Update win_susp_schtask_creation.yml

French language settings
---
 rules/windows/process_creation/win_susp_schtask_creation.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml
index 1647d2f5..bc671f4c 100644
--- a/rules/windows/process_creation/win_susp_schtask_creation.yml
+++ b/rules/windows/process_creation/win_susp_schtask_creation.yml
@@ -4,6 +4,7 @@ status: experimental
 description: Detects the creation of scheduled tasks in user session
 author: Florian Roth
 date: 2019/01/16
+modified: 2021/08/26
 logsource:
     category: process_creation
     product: windows
@@ -12,7 +13,9 @@ detection:
         Image|endswith: '\schtasks.exe'
         CommandLine|contains: ' /create '
     filter:
-        User: NT AUTHORITY\SYSTEM
+        User|startswith: 
+            - 'NT AUTHORITY\SYSTEM'
+            - 'AUTORITE NT\Sys' # French language settings
     condition: selection and not filter
 fields:
     - CommandLine

From 4f49f03460e2e92d5482b3d4e8600c756c8e3bb1 Mon Sep 17 00:00:00 2001
From: mlp1515 <69857628+mlp1515@users.noreply.github.com>
Date: Thu, 26 Aug 2021 12:46:15 +0000
Subject: [PATCH 6/9] Update sysmon_abusing_debug_privilege.yml

French language settings
---
 .../process_creation/sysmon_abusing_debug_privilege.yml       | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml
index 399103d2..041bba07 100644
--- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml
+++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml
@@ -28,7 +28,9 @@ detection:
             - '\powershell.exe'
             - '\cmd.exe'
     selection3:
-            User: 'NT AUTHORITY\SYSTEM'
+            User|startswith: 
+                - 'NT AUTHORITY\SYSTEM'
+                - 'AUTORITE NT\Sys' # French language settings
     filter:
            CommandLine|contains|all:
            - ' route '

From e9ed5f592cbda58f771b167471fbf2b71018f985 Mon Sep 17 00:00:00 2001
From: mlp1515 <69857628+mlp1515@users.noreply.github.com>
Date: Thu, 26 Aug 2021 12:48:59 +0000
Subject: [PATCH 7/9] Update
 sysmon_always_install_elevated_windows_installer.yml

French language settings
---
 .../sysmon_always_install_elevated_windows_installer.yml   | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
index 8d89e217..4aa3afd0 100644
--- a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
+++ b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
@@ -4,6 +4,7 @@ description: This rule will looks for Windows Installer service (msiexec.exe) wh
 status: experimental
 author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 date: 2020/10/13
+modified: 2021/08/26
 references: 
     - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
 tags:
@@ -16,7 +17,9 @@ detection:
     integrity_level:
         IntegrityLevel: 'System'
     user:
-        User: 'NT AUTHORITY\SYSTEM'
+        User|startswith: 
+            - 'NT AUTHORITY\SYSTEM'
+            - 'AUTORITE NT\Sys' # French language settings
     image_1:
         Image|contains|all: 
             - '\Windows\Installer\'
@@ -34,4 +37,4 @@ fields:
 falsepositives:
     - System administrator Usage
     - Penetration test
-level: medium 
\ No newline at end of file
+level: medium 

From e1aa82b412457c154fe9a5db3a8fb1b6ee4cdf67 Mon Sep 17 00:00:00 2001
From: mlp1515 <69857628+mlp1515@users.noreply.github.com>
Date: Thu, 26 Aug 2021 12:50:24 +0000
Subject: [PATCH 8/9] Update win_susp_tscon_localsystem.yml

French language settings
---
 .../windows/process_creation/win_susp_tscon_localsystem.yml  | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_tscon_localsystem.yml b/rules/windows/process_creation/win_susp_tscon_localsystem.yml
index b11145b6..d04687d1 100644
--- a/rules/windows/process_creation/win_susp_tscon_localsystem.yml
+++ b/rules/windows/process_creation/win_susp_tscon_localsystem.yml
@@ -7,6 +7,7 @@ references:
     - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
 author: Florian Roth
 date: 2018/03/17
+modified: 2021/08/26
 tags:
     - attack.command_and_control
     - attack.t1219
@@ -15,7 +16,9 @@ logsource:
     product: windows
 detection:
     selection:
-        User: NT AUTHORITY\SYSTEM
+        User|startswith: 
+            - 'NT AUTHORITY\SYSTEM'
+            - 'AUTORITE NT\Sys' # French language settings
         Image|endswith: '\tscon.exe'
     condition: selection
 falsepositives:

From cce7cfc79af8e7667e8a0a25d2d7f44e43be890e Mon Sep 17 00:00:00 2001
From: mlp1515 <69857628+mlp1515@users.noreply.github.com>
Date: Thu, 26 Aug 2021 12:51:45 +0000
Subject: [PATCH 9/9] Update win_tool_psexec.yml

French language settings
---
 rules/windows/other/win_tool_psexec.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml
index 22a4d3da..250429d1 100644
--- a/rules/windows/other/win_tool_psexec.yml
+++ b/rules/windows/other/win_tool_psexec.yml
@@ -5,7 +5,7 @@ status: experimental
 description: Detects PsExec service installation and execution events (service and Sysmon)
 author: Thomas Patzke
 date: 2017/06/12
-modified: 2021/08/06
+modified: 2021/08/26
 references:
     - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
     - https://jpcertcc.github.io/ToolAnalysisResultSheet
@@ -46,7 +46,9 @@ logsource:
 detection:
     sysmon_processcreation:
         Image|endswith: '\PSEXESVC.exe'
-        User: 'NT AUTHORITY\SYSTEM'
+        User|startswith: 
+            - 'NT AUTHORITY\SYSTEM'
+            - 'AUTORITE NT\Sys' # French language settings
 ---
 logsource:
      category: pipe_created