auto_sigma_rule_generator/backend/templates/credential_access.yaml

39 lines
No EOL
960 B
YAML

template_name: "Credential Access Detection"
description: "Detects credential access attempts based on PoC exploit indicators"
applicable_product_patterns:
- "credential"
- "password"
- "hash"
- "dump"
- "lsass"
- "mimikatz"
template_content: |
title: {{TITLE}}
id: {{RULE_ID}}
status: experimental
description: {{DESCRIPTION}}
author: CVE-SIGMA Auto Generator
date: {{DATE}}
references:
{{REFERENCES}}
tags:
{{TAGS}}
logsource:
category: process_creation
product: windows
detection:
selection_lsass:
Image|contains:
- 'lsass'
- 'mimikatz'
selection_creds:
CommandLine|contains:
{{COMMANDS}}
selection_files:
TargetFilename|contains:
{{FILES}}
condition: selection_lsass or selection_creds or selection_files
falsepositives:
- Legitimate authentication processes
- Password management software
level: {{LEVEL}}