Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Suspicious File Download From File Sharing Websites - File Stream

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Suspicious File Download From File Sharing Websites - File Stream

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Suspicious File Download From File Sharing Websites -  File Stream
id: 52182dfb-afb7-41db-b4bc-5336cb29b464
related:
    - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
      type: similar
status: test
description: Detects the download of suspicious file type from a well-known file and paste sharing domain
references:
    - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
    - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
    - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/
    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
author: Florian Roth (Nextron Systems)
date: 2022-08-24
modified: 2025-12-10
tags:
    - attack.defense-evasion
    - attack.s0139
    - attack.t1564.004
logsource:
    product: windows
    category: create_stream_hash
detection:
    selection_domain:
        Contents|contains:
            - '.githubusercontent.com'       # Includes both gists and github repositories / Michael Haag (idea)
            - 'anonfiles.com'
            - 'cdn.discordapp.com'
            - 'ddns.net'
            - 'dl.dropboxusercontent.com'
            - 'ghostbin.co'
            - 'github.com'
            - 'glitch.me'
            - 'gofile.io'
            - 'hastebin.com'
            - 'mediafire.com'
            - 'mega.nz'
            - 'onrender.com'
            - 'pages.dev'
            - 'paste.ee'
            - 'pastebin.com'
            - 'pastebin.pl'
            - 'pastetext.net'
            - 'pixeldrain.com'
            - 'privatlab.com'
            - 'privatlab.net'
            - 'send.exploit.in'
            - 'sendspace.com'
            - 'storage.googleapis.com'
            - 'storjshare.io'
            - 'supabase.co'
            - 'temp.sh'
            - 'transfer.sh'
            - 'trycloudflare.com'
            - 'ufile.io'
            - 'w3spaces.com'
            - 'workers.dev'
    selection_extension:
        TargetFilename|contains:
            - '.cpl:Zone'
            - '.dll:Zone'
            - '.exe:Zone'
            - '.hta:Zone'
            - '.lnk:Zone'
            - '.one:Zone'
            - '.vbe:Zone'
            - '.vbs:Zone'
            - '.xll:Zone'
    condition: all of selection_*
falsepositives:
    - Some false positives might occur with binaries download via Github
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml