Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

GALLIUM IOCs

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

GALLIUM IOCs

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: GALLIUM IOCs
id: 440a56bf-7873-4439-940a-1c8a671073c2
status: test
description: Detects artifacts associated with GALLIUM cyber espionage group as reported by Microsoft Threat Intelligence Center in the December 2019 report.
references:
    - https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
    - https://github.com/Azure/Azure-Sentinel/blob/a02ce85c96f162de6f8cc06f07a53b6525f0ff7f/Solutions/Legacy%20IOC%20based%20Threat%20Protection/Analytic%20Rules/GalliumIOCs.yaml
author: Tim Burrell
date: 2020-02-07
modified: 2024-11-23
tags:
    - attack.credential-access
    - attack.command-and-control
    - attack.t1212
    - attack.t1071
    - attack.g0093
    - detection.emerging-threats
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Hashes|contains:
            - 'SHA256=9ae7c4a4e1cfe9b505c3a47e66551eb1357affee65bfefb0109d02f4e97c06dd'
            - 'SHA256=7772d624e1aed327abcd24ce2068063da0e31bb1d5d3bf2841fc977e198c6c5b'
            - 'SHA256=657fc7e6447e0065d488a7db2caab13071e44741875044f9024ca843fe4e86b5'
            - 'SHA256=2ef157a97e28574356e1d871abf75deca7d7a1ea662f38b577a06dd039dbae29'
            - 'SHA256=52fd7b90d7144ac448af4008be639d4d45c252e51823f4311011af3207a5fc77'
            - 'SHA256=a370e47cb97b35f1ae6590d14ada7561d22b4a73be0cb6df7e851d85054b1ac3'
            - 'SHA256=5bf80b871278a29f356bd42af1e35428aead20cd90b0c7642247afcaaa95b022'
            - 'SHA256=6f690ccfd54c2b02f0c3cb89c938162c10cbeee693286e809579c540b07ed883'
            - 'SHA256=3c884f776fbd16597c072afd81029e8764dd57ee79d798829ca111f5e170bd8e'
            - 'SHA256=1922a419f57afb351b58330ed456143cc8de8b3ebcbd236d26a219b03b3464d7'
            - 'SHA256=fe0e4ef832b62d49b43433e10c47dc51072959af93963c790892efc20ec422f1'
            - 'SHA256=7ce9e1c5562c8a5c93878629a47fe6071a35d604ed57a8f918f3eadf82c11a9c'
            - 'SHA256=178d5ee8c04401d332af331087a80fb4e5e2937edfba7266f9be34a5029b6945'
            - 'SHA256=51f70956fa8c487784fd21ab795f6ba2199b5c2d346acdeef1de0318a4c729d9'
            - 'SHA256=889bca95f1a69e94aaade1e959ed0d3620531dc0fc563be9a8decf41899b4d79'
            - 'SHA256=332ddaa00e2eb862742cb8d7e24ce52a5d38ffb22f6c8bd51162bd35e84d7ddf'
            - 'SHA256=44bcf82fa536318622798504e8369e9dcdb32686b95fcb44579f0b4efa79df08'
            - 'SHA256=63552772fdd8c947712a2cff00dfe25c7a34133716784b6d486227384f8cf3ef'
            - 'SHA256=056744a3c371b5938d63c396fe094afce8fb153796a65afa5103e1bffd7ca070'
            - 'SHA1=53a44c2396d15c3a03723fa5e5db54cafd527635'
            - 'SHA1=9c5e496921e3bc882dc40694f1dcc3746a75db19'
            - 'SHA1=aeb573accfd95758550cf30bf04f389a92922844'
            - 'SHA1=79ef78a797403a4ed1a616c68e07fff868a8650a'
            - 'SHA1=4f6f38b4cec35e895d91c052b1f5a83d665c2196'
            - 'SHA1=1e8c2cac2e4ce7cbd33c3858eb2e24531cb8a84d'
            - 'SHA1=e841a63e47361a572db9a7334af459ddca11347a'
            - 'SHA1=c28f606df28a9bc8df75a4d5e5837fc5522dd34d'
            - 'SHA1=2e94b305d6812a9f96e6781c888e48c7fb157b6b'
            - 'SHA1=dd44133716b8a241957b912fa6a02efde3ce3025'
            - 'SHA1=8793bf166cb89eb55f0593404e4e933ab605e803'
            - 'SHA1=a39b57032dbb2335499a51e13470a7cd5d86b138'
            - 'SHA1=41cc2b15c662bc001c0eb92f6cc222934f0beeea'
            - 'SHA1=d209430d6af54792371174e70e27dd11d3def7a7'
            - 'SHA1=1c6452026c56efd2c94cea7e0f671eb55515edb0'
            - 'SHA1=c6b41d3afdcdcaf9f442bbe772f5da871801fd5a'
            - 'SHA1=4923d460e22fbbf165bbbaba168e5a46b8157d9f'
            - 'SHA1=f201504bd96e81d0d350c3a8332593ee1c9e09de'
            - 'SHA1=ddd2db1127632a2a52943a2fe516a2e7d05d70d2'
    condition: selection
falsepositives:
    - Unknown
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2020/TA/GALLIUM/proc_creation_win_apt_gallium_iocs.yml