template_name: "Credential Access Detection"
description: "Detects credential access attempts based on PoC exploit indicators"
applicable_product_patterns:
  - "credential"
  - "password"
  - "hash"
  - "dump"
  - "lsass"
  - "mimikatz"
template_content: |
  title: {{TITLE}}
  id: {{RULE_ID}}
  status: experimental
  description: {{DESCRIPTION}}
  author: CVE-SIGMA Auto Generator
  date: {{DATE}}
  references:
  {{REFERENCES}}
  tags:
  {{TAGS}}
  logsource:
      category: process_creation
      product: windows
  detection:
      selection_lsass:
          Image|contains:
              - 'lsass'
              - 'mimikatz'
      selection_creds:
          CommandLine|contains:
  {{COMMANDS}}
      selection_files:
          TargetFilename|contains:
  {{FILES}}
      condition: selection_lsass or selection_creds or selection_files
  falsepositives:
      - Legitimate authentication processes
      - Password management software
  level: {{LEVEL}}