Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

File Creation Related To RAT Clients

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

File Creation Related To RAT Clients

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: File Creation Related To RAT Clients
id: 2f3039c8-e8fe-43a9-b5cf-dcd424a2522d
status: experimental
description: |
    File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.
references:
    - https://www.virustotal.com/gui/file/c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761
    - https://www.virustotal.com/gui/file/e96a0c1bc5f720d7f0a53f72e5bb424163c943c24a437b1065957a79f5872675
author: Joseliyo Sanchez, @Joseliyo_Jstnk
date: 2024-12-19
tags:
    - attack.execution
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    # VT Query: behaviour_files:"\\AppData\\Roaming\\DataLogs\\DataLogs.conf"
    # VT Query: behaviour_files:"DataLogs.conf" or behaviour_files:"hvnc.conf" or behaviour_files:"dcrat.conf"
    selection_required:
        TargetFilename|contains: '\AppData\Roaming\'
    selection_variants:
        TargetFilename|contains:
            - '\mydata\'
            - '\datalogs\'
            - '\hvnc\'
            - '\dcrat\'
        TargetFilename|endswith:
            - '\datalogs.conf'
            - '\hvnc.conf'
            - '\dcrat.conf'
    condition: all of selection_*
falsepositives:
    - Legitimate software creating a file with the same name
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml