Update sysmon_always_install_elevated_windows_installer.yml

French language settings
2024-11-06 17:35:19 +00:00 · 2021-08-26 12:48:59 +00:00 · 2021-08-26 12:48:59 +00:00 · e9ed5f592c
commit e9ed5f592c
parent 4f49f03460
1 changed files with 5 additions and 2 deletions
--- a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
+++ b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml
@ -4,6 +4,7 @@ description: This rule will looks for Windows Installer service (msiexec.exe) wh
 status: experimental
 author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 date: 2020/10/13
+modified: 2021/08/26
 references: 
    - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
 tags:
@ -16,7 +17,9 @@ detection:
    integrity_level:
        IntegrityLevel: 'System'
    user:
-        User: 'NT AUTHORITY\SYSTEM'
+        User|startswith: 
+            - 'NT AUTHORITY\SYSTEM'
+            - 'AUTORITE NT\Sys' # French language settings
    image_1:
        Image|contains|all: 
            - '\Windows\Installer\'
@ -34,4 +37,4 @@ fields:
 falsepositives:
    - System administrator Usage
    - Penetration test
-level: medium 
+level: medium