Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

HH.EXE Initiated HTTP Network Connection

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

HH.EXE Initiated HTTP Network Connection

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: HH.EXE Initiated HTTP Network Connection
id: 468a8cea-2920-4909-a593-0cbe1d96674a
related:
    - id: f57c58b3-ee69-4ef5-9041-455bf39aaa89
      type: derived
status: test
description: |
    Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files.
references:
    - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
    - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-05
tags:
    - attack.defense-evasion
    - attack.t1218.001
    - detection.threat-hunting
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith: '\hh.exe'
        Initiated: 'true'
        DestinationPort:
            - 80
            - 443
    condition: selection
falsepositives:
    - False positive is expected from launching "hh.exe" for the first time on a machine in a while or simply from help files containing reference to external sources. Best correlate this with process creation and file events.
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml