From 1eabadd4ee3a18362f68852353d965dbb1687c32 Mon Sep 17 00:00:00 2001
From: Paulo da Silva <52788195+pasilva-msft@users.noreply.github.com>
Date: Wed, 15 Jan 2020 21:09:53 -0300
Subject: [PATCH] Change from AccountName To AccountSid

Since, there is many languages for Windows, there will be different names for SYSTEM user, for instance in Brazil it is called SISTEMA. So, to avoid dependency of string I suggest to change it to SID form AccountSid != "S-1-5-18".
---
 Persistence/scheduled task creation.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Persistence/scheduled task creation.txt b/Persistence/scheduled task creation.txt
index 7f7d3c0b..505ecee8 100644
--- a/Persistence/scheduled task creation.txt	
+++ b/Persistence/scheduled task creation.txt	
@@ -1,5 +1,5 @@
 //Original Sigma Rule: https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_schtask_creation.yml
 //Questions via Twitter: @janvonkirchheim 
 DeviceProcessEvents 
-| where FolderPath endswith "\\schtasks.exe" and ProcessCommandLine has " /create " and AccountName != "system"
+| where FolderPath endswith "\\schtasks.exe" and ProcessCommandLine has " /create " and AccountSid != "S-1-5-18"
 | where Timestamp > ago(7d)