Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Suspicious Manipulation Of Default Accounts Via Net.EXE
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Suspicious Manipulation Of Default Accounts Via Net.EXE
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Suspicious Manipulation Of Default Accounts Via Net.EXE
id: 5b768e71-86f2-4879-b448-81061cbae951
status: test
description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
references:
- https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
- https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-01
modified: 2023-02-21
tags:
- attack.collection
- attack.t1560.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\net.exe'
- '\net1.exe'
- OriginalFileName:
- 'net.exe'
- 'net1.exe'
selection_user_option:
CommandLine|contains: ' user '
selection_username:
CommandLine|contains:
# Note: We need to write the full account name for cases starting with 'admin' to avoid lookups only with the user flag
- ' Järjestelmänvalvoja ' # Finish
- ' Rendszergazda ' # Hungarian
- ' Администратор ' # Russian
- ' Administrateur ' # French
- ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish
- ' Administratör ' # Swedish
- ' Administrator ' # English
- ' guest '
- ' DefaultAccount '
# The cases below are for when an attacker requests the net command via 'cmd /c....'
# First in double quotes
- ' "Järjestelmänvalvoja" ' # Finish
- ' "Rendszergazda" ' # Hungarian
- ' "Администратор" ' # Russian
- ' "Administrateur" ' # French
- ' "Administrador" ' # Portuguese (Brazil + Portugal) + Spanish
- ' "Administratör" ' # Swedish
- ' "Administrator" ' # English
- ' "guest" '
- ' "DefaultAccount" '
# Second in single quotes
- " 'Järjestelmänvalvoja' " # Finish
- " 'Rendszergazda' " # Hungarian
- " 'Администратор' " # Russian
- " 'Administrateur' " # French
- " 'Administrador' " # Portuguese (Brazil + Portugal) + Spanish
- " 'Administratör' " # Swedish
- " 'Administrator' " # English
- " 'guest' "
- " 'DefaultAccount' "
filter:
CommandLine|contains|all:
- 'guest'
- '/active no'
condition: all of selection_* and not filter
falsepositives:
- Some false positives could occur with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium
level: high
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml