Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

HackTool - Impacket Tools Execution

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

HackTool - Impacket Tools Execution

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: HackTool - Impacket Tools Execution
id: 4627c6ae-6899-46e2-aa0c-6ebcb1becd19
status: test
description: Detects the execution of different compiled Windows binaries of the impacket toolset (based on names or part of their names - could lead to false positives)
references:
    - https://github.com/ropnop/impacket_static_binaries/releases/tag/0.9.21-dev-binaries
author: Florian Roth (Nextron Systems)
date: 2021-07-24
modified: 2023-02-07
tags:
    - attack.collection
    - attack.execution
    - attack.credential-access
    - attack.t1557.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        - Image|contains:
              - '\goldenPac'
              - '\karmaSMB'
              - '\kintercept'
              - '\ntlmrelayx'
              - '\rpcdump'
              - '\samrdump'
              - '\secretsdump'
              - '\smbexec'
              - '\smbrelayx'
              - '\wmiexec'
              - '\wmipersist'
        - Image|endswith:
              - '\atexec_windows.exe'
              - '\dcomexec_windows.exe'
              - '\dpapi_windows.exe'
              - '\findDelegation_windows.exe'
              - '\GetADUsers_windows.exe'
              - '\GetNPUsers_windows.exe'
              - '\getPac_windows.exe'
              - '\getST_windows.exe'
              - '\getTGT_windows.exe'
              - '\GetUserSPNs_windows.exe'
              - '\ifmap_windows.exe'
              - '\mimikatz_windows.exe'
              - '\netview_windows.exe'
              - '\nmapAnswerMachine_windows.exe'
              - '\opdump_windows.exe'
              - '\psexec_windows.exe'
              - '\rdp_check_windows.exe'
              - '\sambaPipe_windows.exe'
              - '\smbclient_windows.exe'
              - '\smbserver_windows.exe'
              - '\sniff_windows.exe'
              - '\sniffer_windows.exe'
              - '\split_windows.exe'
              - '\ticketer_windows.exe'
              # - '\addcomputer_windows.exe'
              # - '\esentutl_windows.exe'
              # - '\getArch_windows.exe'
              # - '\lookupsid_windows.exe'
              # - '\mqtt_check_windows.exe'
              # - '\mssqlclient_windows.exe'
              # - '\mssqlinstance_windows.exe'
              # - '\ntfs-read_windows.exe'
              # - '\ping_windows.exe'
              # - '\ping6_windows.exe'
              # - '\raiseChild_windows.exe'
              # - '\reg_windows.exe'
              # - '\registry-read_windows.exe'
              # - '\services_windows.exe'
              # - '\wmiquery_windows.exe'
    condition: selection
falsepositives:
    - Legitimate use of the impacket tools
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_hktl_impacket_tools.yml