Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Renamed Powershell Under Powershell Channel
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Renamed Powershell Under Powershell Channel
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Renamed Powershell Under Powershell Channel
id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592
status: test
description: |
Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Harish Segar, frack113
date: 2020-06-29
modified: 2025-01-20
tags:
- attack.execution
- attack.defense-evasion
- attack.t1059.001
- attack.t1036.003
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains: 'HostName=ConsoleHost'
# Note: Powershell Logging Data is localized. Meaning that "HostApplication" field will be translated to a different field on a non english layout. This rule doesn't take this into account due to the sheer amount of possibilities. It's up to the user to add these cases.
filter_main_ps:
Data|contains:
- 'HostApplication=powershell'
- 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
- 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
# In some cases powershell was invoked with inverted slashes
- 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
- 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
- 'HostApplication=C:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
- 'HostApplication=C:\\\\WINDOWS\\\\SysWOW64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe'
filter_main_host_application_null:
# Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
# If you're already mapping and extracting the field, then obviously use that directly.
Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion='
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: low
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/powershell/powershell_classic/posh_pc_renamed_powershell.yml