auto_sigma_rule_generator/backend/templates/privilege_escalation.yaml

41 lines
No EOL
1 KiB
YAML

template_name: "Privilege Escalation Detection"
description: "Detects privilege escalation attempts based on PoC exploit indicators"
applicable_product_patterns:
- "privilege"
- "escalation"
- "admin"
- "root"
- "sudo"
- "runas"
template_content: |
title: {{TITLE}}
id: {{RULE_ID}}
status: experimental
description: {{DESCRIPTION}}
author: CVE-SIGMA Auto Generator
date: {{DATE}}
references:
{{REFERENCES}}
tags:
{{TAGS}}
logsource:
category: process_creation
product: windows
detection:
selection_runas:
Image|endswith: '\\runas.exe'
CommandLine|contains:
{{COMMANDS}}
selection_whoami:
Image|endswith: '\\whoami.exe'
CommandLine|contains:
- '/priv'
- '/groups'
selection_exploit:
CommandLine|contains:
{{PROCESSES}}
condition: selection_runas or selection_whoami or selection_exploit
falsepositives:
- Legitimate administrative tasks
- System diagnostics
level: {{LEVEL}}