auto_sigma_rule_generator/backend/templates/persistence.yaml

40 lines
No EOL
1 KiB
YAML

template_name: "Persistence Detection"
description: "Detects persistence mechanisms based on PoC exploit indicators"
applicable_product_patterns:
- "persistence"
- "startup"
- "autorun"
- "scheduled"
- "task"
- "cron"
template_content: |
title: {{TITLE}}
id: {{RULE_ID}}
status: experimental
description: {{DESCRIPTION}}
author: CVE-SIGMA Auto Generator
date: {{DATE}}
references:
{{REFERENCES}}
tags:
{{TAGS}}
logsource:
category: process_creation
product: windows
detection:
selection_schtasks:
Image|endswith: '\\schtasks.exe'
CommandLine|contains:
{{COMMANDS}}
selection_startup:
TargetFilename|contains:
- '\\Startup\\'
- '\\Start Menu\\'
selection_registry:
TargetObject|contains:
{{REGISTRY}}
condition: selection_schtasks or selection_startup or selection_registry
falsepositives:
- Legitimate software installations
- System configuration changes
level: {{LEVEL}}