Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Potential Direct Syscall of NtOpenProcess
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Potential Direct Syscall of NtOpenProcess
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Potential Direct Syscall of NtOpenProcess
id: 3f3f3506-1895-401b-9cc3-e86b16e630d0
status: test
description: Detects potential calls to NtOpenProcess directly from NTDLL.
references:
- https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6
author: Christian Burkard (Nextron Systems), Tim Shelton (FP)
date: 2021-07-28
modified: 2023-12-13
tags:
- attack.execution
- attack.t1106
logsource:
category: process_access
product: windows
detection:
selection:
CallTrace|startswith: 'UNKNOWN'
filter_main_vcredist:
TargetImage|endswith: 'vcredist_x64.exe'
SourceImage|endswith: 'vcredist_x64.exe'
filter_main_generic:
# Examples include "systeminfo", "backgroundTaskHost", "AUDIODG"
SourceImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
TargetImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\WinSxS\'
filter_main_kerneltrace_edge:
# Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider
Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls'
filter_optional_vmware:
TargetImage|endswith: ':\Windows\system32\systeminfo.exe'
SourceImage|endswith: 'setup64.exe' # vmware
filter_optional_cylance:
SourceImage|endswith: ':\Windows\Explorer.EXE'
TargetImage|endswith: ':\Program Files\Cylance\Desktop\CylanceUI.exe'
filter_optional_amazon:
SourceImage|endswith: 'AmazonSSMAgentSetup.exe'
TargetImage|endswith: 'AmazonSSMAgentSetup.exe'
filter_optional_vscode: # VsCode
SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
filter_optional_teams: # MS Teams
TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe'
filter_optional_discord: # Discord
TargetImage|contains: '\AppData\Local\Discord\'
TargetImage|endswith: '\Discord.exe'
filter_optional_yammer:
SourceImage|contains: '\AppData\Local\yammerdesktop\app-'
SourceImage|endswith: '\Yammer.exe'
TargetImage|contains: '\AppData\Local\yammerdesktop\app-'
TargetImage|endswith: '\Yammer.exe'
GrantedAccess: '0x1000'
filter_optional_evernote:
TargetImage|endswith: '\Evernote\Evernote.exe'
filter_optional_adobe_acrobat:
SourceImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
SourceImage|endswith: '\AcroCEF.exe'
TargetImage|contains: ':\Program Files\Adobe\Acrobat DC\Acrobat\'
TargetImage|endswith: '\AcroCEF.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/process_access/proc_access_win_susp_direct_ntopenprocess_call.yml