Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Uncommon Service Installation Image Path

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Uncommon Service Installation Image Path

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Uncommon Service Installation Image Path
id: 26481afe-db26-4228-b264-25a29fe6efc7
related:
    - id: ca83e9f3-657a-45d0-88d6-c1ac280caf53
      type: obsolete
    - id: 1d61f71d-59d2-479e-9562-4ff5f4ead16b
      type: derived
status: test
description: |
    Detects uncommon service installation commands by looking at suspicious or uncommon image path values containing references to encoded powershell commands, temporary paths, etc.
references:
    - Internal Research
author: Florian Roth (Nextron Systems)
date: 2022-03-18
modified: 2024-02-09
tags:
    - attack.persistence
    - attack.privilege-escalation
    - car.2013-09-005
    - attack.t1543.003
logsource:
    product: windows
    service: system
detection:
    selection:
        Provider_Name: 'Service Control Manager'
        EventID: 7045
    suspicious_paths:
        ImagePath|contains:
            - '\\\\.\\pipe'
            - '\Users\Public\'
            - '\Windows\Temp\'
    suspicious_encoded_flag:
        ImagePath|contains: ' -e'
    suspicious_encoded_keywords:
        ImagePath|contains:
            - ' aQBlAHgA' # PowerShell encoded commands
            - ' aWV4I' # PowerShell encoded commands
            - ' IAB' # PowerShell encoded commands
            - ' JAB' # PowerShell encoded commands
            - ' PAA' # PowerShell encoded commands
            - ' SQBFAFgA' # PowerShell encoded commands
            - ' SUVYI' # PowerShell encoded commands
    filter_optional_thor_remote:
        ImagePath|startswith: 'C:\WINDOWS\TEMP\thor10-remote\thor64.exe'
    filter_main_defender_def_updates:
        ImagePath|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Definition Updates\'
    condition: selection and ( suspicious_paths or all of suspicious_encoded_* ) and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/builtin/system/service_control_manager/win_system_service_install_uncommon.yml