Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Creation Of a Suspicious ADS File Outside a Browser Download
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Creation Of a Suspicious ADS File Outside a Browser Download
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Creation Of a Suspicious ADS File Outside a Browser Download
id: 573df571-a223-43bc-846e-3f98da481eca
status: test
description: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
references:
- https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/
author: frack113
date: 2022-10-22
modified: 2023-06-12
tags:
- attack.defense-evasion
logsource:
product: windows
category: create_stream_hash
detection:
selection:
Contents|startswith: '[ZoneTransfer] ZoneId=3'
TargetFilename|endswith: ':Zone.Identifier'
TargetFilename|contains:
- '.exe'
- '.scr'
- '.bat'
- '.cmd'
- '.docx'
- '.hta'
- '.jse'
- '.lnk'
- '.pptx'
- '.ps'
- '.reg'
- '.sct'
- '.vb'
- '.wsc'
- '.wsf'
- '.xlsx'
filter_optional_brave:
Image|endswith: '\brave.exe'
filter_optional_chrome:
Image:
- 'C:\Program Files\Google\Chrome\Application\chrome.exe'
- 'C:\Program Files (x86)\Google\Chrome\Application\chrome.exe'
filter_optional_firefox:
Image:
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
- 'C:\Program Files (x86)\Mozilla Firefox\firefox.exe'
filter_optional_ie:
Image:
- 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
- 'C:\Program Files\Internet Explorer\iexplore.exe'
filter_optional_maxthon:
Image|endswith: '\maxthon.exe'
filter_optional_edge_1:
- Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\'
- Image|endswith: '\WindowsApps\MicrosoftEdge.exe'
- Image:
- 'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
- 'C:\Program Files\Microsoft\Edge\Application\msedge.exe'
filter_optional_edge_2:
Image|startswith:
- 'C:\Program Files (x86)\Microsoft\EdgeCore\'
- 'C:\Program Files\Microsoft\EdgeCore\'
Image|endswith:
- '\msedge.exe'
- '\msedgewebview2.exe'
filter_optional_opera:
Image|endswith: '\opera.exe'
filter_optional_safari:
Image|endswith: '\safari.exe'
filter_optional_seamonkey:
Image|endswith: '\seamonkey.exe'
filter_optional_vivaldi:
Image|endswith: '\vivaldi.exe'
filter_optional_whale:
Image|endswith: '\whale.exe'
filter_optional_snipping_tool:
Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.ScreenSketch_'
Image|endswith: '\SnippingTool\SnippingTool.exe'
TargetFilename|startswith: 'C:\Users\'
TargetFilename|contains|all:
- '\AppData\Local\Packages\Microsoft.ScreenSketch_'
- '\TempState\Screenshot '
TargetFilename|endswith: '.png:Zone.Identifier'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Other legitimate browsers not currently included in the filter (please add them)
- Legitimate downloads via scripting or command-line tools (Investigate to determine if it's legitimate)
level: medium
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml