Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Exploitation Indicator Of CVE-2022-42475

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Exploitation Indicator Of CVE-2022-42475

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Exploitation Indicator Of CVE-2022-42475
id: 293ccb8c-bed8-4868-8296-bef30e303b7e
status: test
description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
references:
    - https://www.fortiguard.com/psirt/FG-IR-22-398
    - https://www.bleepingcomputer.com/news/security/fortinet-says-ssl-vpn-pre-auth-rce-bug-is-exploited-in-attacks/
    - https://www.deepwatch.com/labs/customer-advisory-fortios-ssl-vpn-vulnerability-cve-2022-42475-exploited-in-the-wild/
    - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Critical-vulnerability-Protect-against-heap-based/ta-p/239420
author: Nasreddine Bencherchali (Nextron Systems), Nilaa Maharjan, Douglasrose75
date: 2024-02-08
tags:
    - attack.initial-access
    - cve.2022-42475
    - detection.emerging-threats
logsource:
    product: fortios
    service: sslvpnd
    definition: 'Requirements: file creation events or equivalent must be collected from the FortiOS SSL-VPN appliance in order for this detection to function correctly'
detection:
    keywords:
        - '/data/etc/wxd.conf'
        - '/data/lib/libgif.so'
        - '/data/lib/libips.bak'
        - '/data/lib/libiptcp.so'
        - '/data/lib/libipudp.so'
        - '/data/lib/libjepg.so'
        - '/var/.sslvpnconfigbk'
    condition: keywords
falsepositives:
    - Unknown
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml