Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Suspicious PowerShell Parameter Substring
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Suspicious PowerShell Parameter Substring
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Suspicious PowerShell Parameter Substring
id: 36210e0d-5b19-485d-a087-c096088885f0
status: test
description: Detects suspicious PowerShell invocation with a parameter substring
references:
- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
date: 2019-01-16
modified: 2022-07-14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' -windowstyle h '
- ' -windowstyl h'
- ' -windowsty h'
- ' -windowst h'
- ' -windows h'
- ' -windo h'
- ' -wind h'
- ' -win h'
- ' -wi h'
- ' -win h '
- ' -win hi '
- ' -win hid '
- ' -win hidd '
- ' -win hidde '
- ' -NoPr '
- ' -NoPro '
- ' -NoProf '
- ' -NoProfi '
- ' -NoProfil '
- ' -nonin '
- ' -nonint '
- ' -noninte '
- ' -noninter '
- ' -nonintera '
- ' -noninterac '
- ' -noninteract '
- ' -noninteracti '
- ' -noninteractiv '
- ' -ec '
- ' -encodedComman '
- ' -encodedComma '
- ' -encodedComm '
- ' -encodedCom '
- ' -encodedCo '
- ' -encodedC '
- ' -encoded '
- ' -encode '
- ' -encod '
- ' -enco '
- ' -en '
- ' -executionpolic '
- ' -executionpoli '
- ' -executionpol '
- ' -executionpo '
- ' -executionp '
- ' -execution bypass'
- ' -executio bypass'
- ' -executi bypass'
- ' -execut bypass'
- ' -execu bypass'
- ' -exec bypass'
- ' -exe bypass'
- ' -ex bypass'
- ' -ep bypass'
- ' /windowstyle h '
- ' /windowstyl h'
- ' /windowsty h'
- ' /windowst h'
- ' /windows h'
- ' /windo h'
- ' /wind h'
- ' /win h'
- ' /wi h'
- ' /win h '
- ' /win hi '
- ' /win hid '
- ' /win hidd '
- ' /win hidde '
- ' /NoPr '
- ' /NoPro '
- ' /NoProf '
- ' /NoProfi '
- ' /NoProfil '
- ' /nonin '
- ' /nonint '
- ' /noninte '
- ' /noninter '
- ' /nonintera '
- ' /noninterac '
- ' /noninteract '
- ' /noninteracti '
- ' /noninteractiv '
- ' /ec '
- ' /encodedComman '
- ' /encodedComma '
- ' /encodedComm '
- ' /encodedCom '
- ' /encodedCo '
- ' /encodedC '
- ' /encoded '
- ' /encode '
- ' /encod '
- ' /enco '
- ' /en '
- ' /executionpolic '
- ' /executionpoli '
- ' /executionpol '
- ' /executionpo '
- ' /executionp '
- ' /execution bypass'
- ' /executio bypass'
- ' /executi bypass'
- ' /execut bypass'
- ' /execu bypass'
- ' /exec bypass'
- ' /exe bypass'
- ' /ex bypass'
- ' /ep bypass'
condition: selection
falsepositives:
- Unknown
level: high
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_powershell_susp_parameter_variation.yml