Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

HTML File Opened From Download Folder

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

HTML File Opened From Download Folder

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: HTML File Opened From Download Folder
id: 538c5851-8c03-4724-8ec4-623bc7aadaea
status: experimental
description: |
    Detects web browser process opening an HTML file from a user's Downloads folder.
    This behavior is could be associated with phishing attacks where threat actors send HTML attachments to users.
    When a user opens such an attachment, it can lead to the execution of malicious scripts or the download of malware.
    During investigation, analyze the HTML file for embedded scripts or links, check for any subsequent downloads or process executions, and investigate the source of the email or message containing the attachment.
references:
    - https://app.any.run/tasks/ae3c4ded-fd6a-43ed-8215-ba0ba574ad33
    - https://app.any.run/tasks/8901e2d5-0c5a-48ba-a8e9-10b5ed7e06f4
author: Joseph Kamau
date: 2025-12-05
tags:
    - attack.t1598.002
    - attack.t1566.001
    - attack.initial-access
    - attack.reconnaissance
    - detection.threat-hunting
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        Image|endswith:
            - '\brave.exe'
            - '\chrome.exe'
            - '\firefox.exe'
            - '\msedge.exe'
            - '\opera.exe'
            - '\vivaldi.exe'
        CommandLine|contains|all:
            - ':\users\'
            - '\Downloads\'
            - '.htm'
    condition: selection
falsepositives:
    - Opening any HTML file located in users directories via a browser process will trigger this.
level: low

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-threat-hunting/windows/process_creation/proc_creation_win_susp_open_html_file_from_download_folder.yml