Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Potential Exploitation of RCE Vulnerability CVE-2025-33053 - Image Load
id: 04fc4b22-91a6-495a-879d-0144fec5ec03
related:
    - id: abe06362-a5b9-4371-8724-ebd00cd48a04
      type: similar
    - id: 9a2d8b3e-f5a1-4c68-9e21-7d9e1cf8a123
      type: similar
status: experimental
description: |
    Detects potential exploitation of remote code execution vulnerability CVE-2025-33053
    by monitoring suspicious image loads from WebDAV paths. The exploit involves malicious executables from
    attacker-controlled WebDAV servers loading the Windows system DLLs like gdi32.dll, netapi32.dll, etc.
references:
    - https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-33053
    - https://research.checkpoint.com/2025/stealth-falcon-zero-day/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-06-13
tags:
    - attack.command-and-control
    - attack.execution
    - attack.defense-evasion
    - attack.t1218
    - attack.lateral-movement
    - attack.t1105
    - detection.emerging-threats
    - cve.2025-33053
logsource:
    category: image_load
    product: windows
detection:
    selection_img_path:
        Image|startswith: '\\\\'
        Image|contains: '\DavWWWRoot\'
    selection_img_bin:
        Image|endswith:
            - '\route.exe'
            - '\netsh.exe'
            - '\makecab.exe'
            - '\dxdiag.exe'
            - '\ipconfig.exe'
            - '\explorer.exe'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2025/Exploits/CVE-2025-33053/image_load_win_exploit_cve_2025_33053.yml