Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

OceanLotus Registry Activity

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

OceanLotus Registry Activity

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: OceanLotus Registry Activity
id: 4ac5fc44-a601-4c06-955b-309df8c4e9d4
status: test
description: Detects registry keys created in OceanLotus (also known as APT32) attacks
references:
    - https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
    - https://github.com/eset/malware-ioc/tree/master/oceanlotus
author: megan201296, Jonhnathan Ribeiro
date: 2019-04-14
modified: 2023-09-28
tags:
    - attack.persistence
    - attack.defense-evasion
    - attack.t1112
    - detection.emerging-threats
logsource:
    category: registry_event
    product: windows
detection:
    selection_clsid:
        TargetObject|contains: '\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
    selection_hkcu:
        TargetObject|contains:
            # HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\
            - 'Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\'
            # HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\
            - 'Classes\AppX3bbba44c6cae4d9695755183472171e2\'
            # HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\
            - 'Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\'
            - 'Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model'
    selection_appx_1:
        TargetObject|contains: '\SOFTWARE\App\'
    selection_appx_2:
        TargetObject|contains:
            - 'AppXbf13d4ea2945444d8b13e2121cb6b663\'
            - 'AppX70162486c7554f7f80f481985d67586d\'
            - 'AppX37cc7fdccd644b4f85f4b22d5a3f105a\'
        TargetObject|endswith:
            - 'Application'
            - 'DefaultIcon'
    condition: selection_clsid or selection_hkcu or all of selection_appx_*
falsepositives:
    - Unknown
level: critical

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml