Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Emotet Loader Execution Via .LNK File
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Emotet Loader Execution Via .LNK File
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Emotet Loader Execution Via .LNK File
id: 1f32d820-1d5c-43fe-8fe2-feef0c952eb7
status: test
description: |
Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.
The ".lnk" file was delivered via phishing campaign.
references:
- https://web.archive.org/web/20220422215221/https://twitter.com/malware_traffic/status/1517622327000846338
- https://twitter.com/Cryptolaemus1/status/1517634855940632576
- https://tria.ge/220422-1pw1pscfdl/
- https://tria.ge/220422-1nnmyagdf2/
author: '@kostastsale'
date: 2022-04-22
modified: 2024-08-15
tags:
- attack.execution
- attack.t1059.006
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\cmd.exe'
- '\explorer.exe'
- '\powershell.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
CommandLine|contains|all:
- 'findstr'
- '.vbs'
- '.lnk'
condition: selection
falsepositives:
- Unlikely
level: high
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2022/Malware/Emotet/proc_creation_win_malware_emotet_loader_execution.yml