Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse Rules Explore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

Live from sigconverter.io

CLI Versions

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Potentially Suspicious Malware Callback Communication

sigma-cli version

Backend

Format

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Potentially Suspicious Malware Callback Communication

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2

title: Potentially Suspicious Malware Callback Communication
id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
related:
    - id: 6d8c3d20-a5e1-494f-8412-4571d716cf5c
      type: similar
status: test
description: |
    Detects programs that connect to known malware callback ports based on statistical analysis from two different sandbox system databases
references:
    - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo
author: Florian Roth (Nextron Systems)
date: 2017-03-19
modified: 2024-03-12
tags:
    - attack.persistence
    - attack.command-and-control
    - attack.t1571
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationPort:
            - 100
            - 198
            - 200
            - 243
            - 473
            - 666
            - 700
            - 743
            - 777
            - 1443
            - 1515
            - 1777
            - 1817
            - 1904
            - 1960
            - 2443
            - 2448
            - 3360
            - 3675
            - 3939
            - 4040
            - 4433
            - 4438
            - 4443
            - 4444
            - 4455
            - 5445
            - 5552
            - 5649
            - 6625
            - 7210
            - 7777
            - 8143
            - 8843
            - 9631
            - 9943
            - 10101
            - 12102
            - 12103
            - 12322
            - 13145
            - 13394
            - 13504
            - 13505
            - 13506
            - 13507
            - 14102
            - 14103
            - 14154
            - 49180
            - 65520
            - 65535
    filter_main_local_ranges:
        DestinationIp|cidr:
            - '127.0.0.0/8'
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '169.254.0.0/16'
            - '::1/128'  # IPv6 loopback
            - 'fe80::/10'  # IPv6 link-local addresses
            - 'fc00::/7'  # IPv6 private addresses
    filter_optional_sys_directories:
        Image|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/network_connection/net_connection_win_susp_malware_callback_port.yml