template_name: "Credential Access Detection" description: "Detects credential access attempts based on PoC exploit indicators" applicable_product_patterns: - "credential" - "password" - "hash" - "dump" - "lsass" - "mimikatz" template_content: | title: {{TITLE}} id: {{RULE_ID}} status: experimental description: {{DESCRIPTION}} author: CVE-SIGMA Auto Generator date: {{DATE}} references: {{REFERENCES}} tags: {{TAGS}} logsource: category: process_creation product: windows detection: selection_lsass: Image|contains: - 'lsass' - 'mimikatz' selection_creds: CommandLine|contains: {{COMMANDS}} selection_files: TargetFilename|contains: {{FILES}} condition: selection_lsass or selection_creds or selection_files falsepositives: - Legitimate authentication processes - Password management software level: {{LEVEL}}