Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142
related:
    - id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 # Security-Audting Eventlog
      type: similar
status: test
description: Hunts for known SVR-specific scheduled task names
author: CISA
references:
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
date: 2023-12-18
tags:
    - attack.persistence
    - detection.emerging-threats
logsource:
    product: windows
    service: taskscheduler
    definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
detection:
    selection:
        EventID:
            - 129 # Task Created
            - 140 # Task Updated
            - 141 # Task Deleted
        TaskName:
            - '\defender'
            - '\Microsoft\DefenderService'
            - '\Microsoft\Windows\Application Experience\StartupAppTaskCheck'
            - '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck'
            - '\Microsoft\Windows\ATPUpd'
            - '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update'
            - '\Microsoft\Windows\DefenderUPDService'
            - '\Microsoft\Windows\IISUpdateService'
            - '\Microsoft\Windows\Speech\SpeechModelInstallTask'
            - '\Microsoft\Windows\WiMSDFS'
            - '\Microsoft\Windows\Windows Defender\Defender Update Service'
            - '\Microsoft\Windows\Windows Defender\Service Update'
            - '\Microsoft\Windows\Windows Error Reporting\CheckReporting'
            - '\Microsoft\Windows\Windows Error Reporting\SubmitReporting'
            - '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart'
            - '\Microsoft\Windows\WindowsDefenderService'
            - '\Microsoft\Windows\WindowsDefenderService2'
            - '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck'
            - '\Microsoft\Windows\WindowsUpdate\Scheduled Check'
            - '\WindowUpdate'
    condition: selection
falsepositives:
    - Unknown
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml