template_name: "Lateral Movement Detection"
description: "Detects lateral movement attempts based on PoC exploit indicators"
applicable_product_patterns:
  - "lateral"
  - "movement"
  - "remote"
  - "psexec"
  - "wmic"
  - "rdp"
template_content: |
  title: {{TITLE}}
  id: {{RULE_ID}}
  status: experimental
  description: {{DESCRIPTION}}
  author: CVE-SIGMA Auto Generator
  date: {{DATE}}
  references:
  {{REFERENCES}}
  tags:
  {{TAGS}}
  logsource:
      category: process_creation
      product: windows
  detection:
      selection_psexec:
          Image|endswith: '\\psexec.exe'
          CommandLine|contains:
  {{COMMANDS}}
      selection_wmic:
          Image|endswith: '\\wmic.exe'
          CommandLine|contains:
              - 'process'
              - 'call'
              - 'create'
      selection_remote:
          CommandLine|contains:
  {{NETWORK}}
      condition: selection_psexec or selection_wmic or selection_remote
  falsepositives:
      - Legitimate remote administration
      - System management tools
  level: {{LEVEL}}