template_name: "Persistence Detection"
description: "Detects persistence mechanisms based on PoC exploit indicators"
applicable_product_patterns:
  - "persistence"
  - "startup"
  - "autorun"
  - "scheduled"
  - "task"
  - "cron"
template_content: |
  title: {{TITLE}}
  id: {{RULE_ID}}
  status: experimental
  description: {{DESCRIPTION}}
  author: CVE-SIGMA Auto Generator
  date: {{DATE}}
  references:
  {{REFERENCES}}
  tags:
  {{TAGS}}
  logsource:
      category: process_creation
      product: windows
  detection:
      selection_schtasks:
          Image|endswith: '\\schtasks.exe'
          CommandLine|contains:
  {{COMMANDS}}
      selection_startup:
          TargetFilename|contains:
              - '\\Startup\\'
              - '\\Start Menu\\'
      selection_registry:
          TargetObject|contains:
  {{REGISTRY}}
      condition: selection_schtasks or selection_startup or selection_registry
  falsepositives:
      - Legitimate software installations
      - System configuration changes
  level: {{LEVEL}}