Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Suspicious File Download From File Sharing Domain Via Curl.EXE
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Suspicious File Download From File Sharing Domain Via Curl.EXE
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Suspicious File Download From File Sharing Domain Via Curl.EXE
id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
status: test
description: Detects potentially suspicious file download from file sharing domains using curl.exe
references:
- https://labs.withsecure.com/publications/fin7-target-veeam-servers
- https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-05-05
modified: 2025-12-10
tags:
- attack.execution
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\curl.exe'
- OriginalFileName: 'curl.exe'
selection_websites:
CommandLine|contains:
- '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea)
- 'anonfiles.com'
- 'cdn.discordapp.com'
- 'ddns.net'
- 'dl.dropboxusercontent.com'
- 'ghostbin.co'
- 'github.com'
- 'glitch.me'
- 'gofile.io'
- 'hastebin.com'
- 'mediafire.com'
- 'mega.nz'
- 'onrender.com'
- 'pages.dev'
- 'paste.ee'
- 'pastebin.com'
- 'pastebin.pl'
- 'pastetext.net'
- 'pixeldrain.com'
- 'privatlab.com'
- 'privatlab.net'
- 'send.exploit.in'
- 'sendspace.com'
- 'storage.googleapis.com'
- 'storjshare.io'
- 'supabase.co'
- 'temp.sh'
- 'transfer.sh'
- 'trycloudflare.com'
- 'ufile.io'
- 'w3spaces.com'
- 'workers.dev'
selection_http:
CommandLine|contains: 'http'
selection_flag:
CommandLine|contains:
- ' -O' # covers the alias for --remote-name and --output
- '--remote-name'
- '--output'
selection_ext:
CommandLine|endswith:
- ".ps1"
- ".ps1'"
- '.ps1"'
- ".dat"
- ".dat'"
- '.dat"'
- ".msi"
- ".msi'"
- '.msi"'
- ".bat"
- ".bat'"
- '.bat"'
- ".exe"
- ".exe'"
- '.exe"'
- ".vbs"
- ".vbs'"
- '.vbs"'
- ".vbe"
- ".vbe'"
- '.vbe"'
- ".hta"
- ".hta'"
- '.hta"'
- ".dll"
- ".dll'"
- '.dll"'
- ".psm1"
- ".psm1'"
- '.psm1"'
condition: all of selection_*
falsepositives:
- Unknown
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains/info.yml
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml