template_name: "File System Activity Detection"
description: "Detects suspicious file system activity based on PoC exploit indicators"
applicable_product_patterns:
  - "file"
  - "filesystem"
  - "upload"
  - "download"
template_content: |
  title: {{TITLE}}
  id: {{RULE_ID}}
  status: experimental
  description: {{DESCRIPTION}}
  author: CVE-SIGMA Auto Generator
  date: {{DATE}}
  references:
  {{REFERENCES}}
  tags:
  {{TAGS}}
  logsource:
      category: file_event
      product: windows
  detection:
      selection:
          TargetFilename|contains:
  {{FILES}}
      condition: selection
  falsepositives:
      - Legitimate file operations
      - Software installations
  level: {{LEVEL}}