template_name: "Command Injection Detection"
description: "Detects command injection attempts based on PoC exploit indicators"
applicable_product_patterns:
  - "injection"
  - "command"
  - "shell"
  - "exec"
  - "system"
template_content: |
  title: {{TITLE}}
  id: {{RULE_ID}}
  status: experimental
  description: {{DESCRIPTION}}
  author: CVE-SIGMA Auto Generator
  date: {{DATE}}
  references:
  {{REFERENCES}}
  tags:
  {{TAGS}}
  logsource:
      category: process_creation
      product: windows
  detection:
      selection_shell:
          Image|endswith:
              - '\\cmd.exe'
              - '\\powershell.exe'
              - '\\bash.exe'
              - '\\sh.exe'
      selection_injection:
          CommandLine|contains:
  {{COMMANDS}}
      selection_patterns:
          CommandLine|contains:
              - '&'
              - '|'
              - ';'
              - '`'
              - '$('
      condition: (selection_shell and selection_injection) or selection_patterns
  falsepositives:
      - Legitimate command line usage
      - System administration scripts
  level: {{LEVEL}}