Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse Rules Explore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

Live from sigconverter.io

CLI Versions

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Suspicious SYSTEM User Process Creation

sigma-cli version

Backend

Format

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Suspicious SYSTEM User Process Creation

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2

title: Suspicious SYSTEM User Process Creation
id: 2617e7ed-adb7-40ba-b0f3-8f9945fe6c09
status: test
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
    - Internal Research
    - https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (Nextron Systems), David ANDRE (additional keywords)
date: 2021-12-20
modified: 2025-10-19
tags:
    - attack.credential-access
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1134
    - attack.t1003
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        IntegrityLevel:
            - 'System'
            - 'S-1-16-16384'
        User|contains: # covers many language settings
            - 'AUTHORI'
            - 'AUTORI'
    selection_special:
        - Image|endswith:
              - '\calc.exe'
              - '\cscript.exe'
              - '\forfiles.exe'
              - '\hh.exe'
              - '\mshta.exe'
              - '\ping.exe'
              - '\wscript.exe'
        - CommandLine|re: 'net\s+user\s+'
        - CommandLine|contains:
              # - 'sc stop ' # stops a system service # causes FPs
              - ' -NoP '  # Often used in malicious PowerShell commands
              - ' -W Hidden '  # Often used in malicious PowerShell commands
              - ' -decode '  # Used with certutil
              - ' /decode '  # Used with certutil
              - ' /urlcache '  # Used with certutil
              - ' -urlcache '  # Used with certutil
              - ' -e* JAB'  # PowerShell encoded commands
              - ' -e* SUVYI'  # PowerShell encoded commands
              - ' -e* SQBFAFgA'  # PowerShell encoded commands
              - ' -e* aWV4I'  # PowerShell encoded commands
              - ' -e* IAB'  # PowerShell encoded commands
              - ' -e* PAA'  # PowerShell encoded commands
              - ' -e* aQBlAHgA'  # PowerShell encoded commands
              - 'vssadmin delete shadows'  # Ransomware
              - 'reg SAVE HKLM'  # save registry SAM - syskey extraction
              - ' -ma '  # ProcDump
              - 'Microsoft\Windows\CurrentVersion\Run'  # Run key in command line - often in combination with REG ADD
              - '.downloadstring('  # PowerShell download command
              - '.downloadfile('  # PowerShell download command
              - ' /ticket:'  # Rubeus
              - 'dpapi::'     # Mimikatz
              - 'event::clear'        # Mimikatz
              - 'event::drop'     # Mimikatz
              - 'id::modify'      # Mimikatz
              - 'kerberos::'       # Mimikatz
              - 'lsadump::'      # Mimikatz
              - 'misc::'     # Mimikatz
              - 'privilege::'       # Mimikatz
              - 'rpc::'      # Mimikatz
              - 'sekurlsa::'       # Mimikatz
              - 'sid::'        # Mimikatz
              - 'token::'      # Mimikatz
              - 'vault::cred'     # Mimikatz
              - 'vault::list'     # Mimikatz
              - ' p::d '  # Mimikatz
              - ';iex('  # PowerShell IEX
              - 'MiniDump'  # Process dumping method apart from procdump
    filter_main_ping:
        CommandLine|contains|all:
            - 'ping'
            - '127.0.0.1'
            - ' -n '
    filter_vs:
        Image|endswith: '\PING.EXE'
        ParentCommandLine|contains: '\DismFoDInstall.cmd'
    filter_config_mgr:
        ParentImage|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
    filter_java:
        ParentImage|contains:
            - ':\Program Files (x86)\Java\'
            - ':\Program Files\Java\'
        ParentImage|endswith: '\bin\javaws.exe'
        Image|contains:
            - ':\Program Files (x86)\Java\'
            - ':\Program Files\Java\'
        Image|endswith: '\bin\jp2launcher.exe'
        CommandLine|contains: ' -ma '
    condition: all of selection* and not 1 of filter_*
falsepositives:
    - Administrative activity
    - Scripts and administrative tools used in the monitored environment
    - Monitoring activity
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml