template_name: "Privilege Escalation Detection"
description: "Detects privilege escalation attempts based on PoC exploit indicators"
applicable_product_patterns:
  - "privilege"
  - "escalation"
  - "admin"
  - "root"
  - "sudo"
  - "runas"
template_content: |
  title: {{TITLE}}
  id: {{RULE_ID}}
  status: experimental
  description: {{DESCRIPTION}}
  author: CVE-SIGMA Auto Generator
  date: {{DATE}}
  references:
  {{REFERENCES}}
  tags:
  {{TAGS}}
  logsource:
      category: process_creation
      product: windows
  detection:
      selection_runas:
          Image|endswith: '\\runas.exe'
          CommandLine|contains:
  {{COMMANDS}}
      selection_whoami:
          Image|endswith: '\\whoami.exe'
          CommandLine|contains:
              - '/priv'
              - '/groups'
      selection_exploit:
          CommandLine|contains:
  {{PROCESSES}}
      condition: selection_runas or selection_whoami or selection_exploit
  falsepositives:
      - Legitimate administrative tasks
      - System diagnostics
  level: {{LEVEL}}