Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Startup/Logon Script Added to Group Policy Object

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Startup/Logon Script Added to Group Policy Object

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Startup/Logon Script Added to Group Policy Object
id: 123e4e6d-b123-48f8-b261-7214938acaf0
status: test
description: |
    Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects.
references:
    - https://www.elastic.co/guide/en/security/current/startup-logon-script-added-to-group-policy-object.html
author: Elastic, Josh Nickels, Marius Rothenbücher
date: 2024-09-06
tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1484.001
    - attack.t1547
logsource:
    product: windows
    service: security
    definition: 'The advanced audit policy setting "Object Access > Audit Detailed File Share" must be configured for Success/Failure'
detection:
    selection_eventid:
        EventID:
            - 5136
            - 5145
    selection_attributes_main:
        AttributeLDAPDisplayName:
            - 'gPCMachineExtensionNames'
            - 'gPCUserExtensionNames'
        AttributeValue|contains: '42B5FAAE-6536-11D2-AE5A-0000F87571E3'
    selection_attributes_optional:
        AttributeValue|contains:
            - '40B6664F-4972-11D1-A7CA-0000F87571E3'
            - '40B66650-4972-11D1-A7CA-0000F87571E3'
    selection_share:
        ShareName|endswith: '\SYSVOL'
        RelativeTargetName|endswith:
            - '\scripts.ini'
            - '\psscripts.ini'
        AccessList|contains: '%%4417'
    condition: selection_eventid and (all of selection_attributes_* or selection_share)
falsepositives:
    - Legitimate execution by system administrators.
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml