Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Possible DC Shadow Attack

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Possible DC Shadow Attack

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Possible DC Shadow Attack
id: 32e19d25-4aed-4860-a55a-be99cb0bf7ed
related:
    - id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
      type: derived
status: test
description: Detects DCShadow via create new SPN
references:
    - https://twitter.com/gentilkiwi/status/1003236624925413376
    - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
    - https://web.archive.org/web/20180203014709/https://blog.alsid.eu/dcshadow-explained-4510f52fc19d?gi=c426ac876c48
author: Ilyas Ochkov, oscd.community, Chakib Gzenayi (@Chak092), Hosni Mribah
date: 2019-10-25
modified: 2022-10-17
tags:
    - attack.credential-access
    - attack.defense-evasion
    - attack.t1207
logsource:
    product: windows
    service: security
    definition: The "Audit Directory Service Changes" logging policy must be configured in order to receive events. Audit events are generated only for objects with configured system access control lists (SACLs). Audit events are generated only for objects with configured system access control lists (SACLs) and only when accessed in a manner that matches their SACL settings. This policy covers the following events ids - 5136, 5137, 5138, 5139, 5141. Note that the default policy does not cover User objects. For that a custom AuditRule need to be setup (See https://github.com/OTRF/Set-AuditRule)
detection:
    selection1:
        EventID: 4742
        ServicePrincipalNames|contains: 'GC/'
    selection2:
        EventID: 5136
        AttributeLDAPDisplayName: servicePrincipalName
        AttributeValue|startswith: 'GC/'
    condition: 1 of selection*
falsepositives:
    - Valid on domain controllers; exclude known DCs
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/builtin/security/win_security_possible_dc_shadow.yml