Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Remote Thread Creation By Uncommon Source Image

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Remote Thread Creation By Uncommon Source Image

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Remote Thread Creation By Uncommon Source Image
id: 66d31e5f-52d6-40a4-9615-002d3789a119
related:
    - id: 02d1d718-dd13-41af-989d-ea85c7fab93f
      type: derived
status: test
description: Detects uncommon processes creating remote threads.
references:
    - Personal research, statistical analysis
    - https://lolbas-project.github.io
author: Perez Diego (@darkquassar), oscd.community
date: 2019-10-27
modified: 2025-07-08
tags:
    - attack.privilege-escalation
    - attack.defense-evasion
    - attack.t1055
logsource:
    product: windows
    category: create_remote_thread
detection:
    selection:
        SourceImage|endswith:
            - '\explorer.exe'
            - '\iexplore.exe'
            - '\msiexec.exe'
            - '\powerpnt.exe'
            - '\schtasks.exe'
            - '\winlogon.exe'
    filter_main_winlogon_1:
        SourceImage: 'C:\Windows\System32\winlogon.exe'
        TargetImage:
            - 'C:\Windows\System32\services.exe' # happens on Windows 7
            - 'C:\Windows\System32\wininit.exe' # happens on Windows 7
            - 'C:\Windows\System32\csrss.exe' # multiple OS
            - 'C:\Windows\System32\LogonUI.exe' # multiple OS
            - 'C:\Windows\System32\wlrmdr.exe'
            - 'C:\Windows\System32\AtBroker.exe'
            - 'C:\Windows\System32\dwm.exe'
            - 'C:\Windows\System32\fontdrvhost.exe'
            - 'C:\Windows\System32\userinit.exe'
    filter_main_winlogon_2:
        SourceImage: 'C:\Windows\System32\winlogon.exe'
        TargetParentProcessId: 4
    filter_main_schtasks_conhost:
        SourceImage:
            - 'C:\Windows\System32\schtasks.exe'
            - 'C:\Windows\SysWOW64\schtasks.exe'
        TargetImage: 'C:\Windows\System32\conhost.exe'
    filter_main_explorer:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|startswith:
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\System32\'
            - 'C:\Windows\SysWOW64\'
    filter_main_system:
        TargetImage: 'System'
    filter_main_msiexec_1:
        # Note: MSI installers will trigger this
        SourceImage|endswith: '\msiexec.exe'
        TargetImage|contains:
            - '\AppData\Local\'
            - 'C:\Program Files (x86)\'
            - 'C:\Program Files\'
            - 'C:\Windows\Microsoft.NET\Framework64\' # C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    filter_main_msiexec_2:
        SourceImage|endswith: '\msiexec.exe'
        TargetImage:
            - 'C:\Windows\System32\msiexec.exe'
            - 'C:\Windows\SysWOW64\msiexec.exe'
    filter_main_iexplore:
        SourceImage: 'C:\Program Files\Internet Explorer\iexplore.exe'
        TargetImage:
            - 'C:\Program Files (x86)\Internet Explorer\iexplore.exe'
            - 'C:\Windows\System32\rundll32.exe'
    filter_main_powerpnt:
        SourceImage|endswith: '\POWERPNT.EXE'
        TargetImage|contains:
            - 'C:\Program Files\Microsoft Office\' # C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\AI\ai.exe
            - 'C:\Program Files (x86)\Microsoft Office\'
    filter_optional_aurora_smartconsole1:
        SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
        SourceCommandLine|contains|all:
            - 'https://'
            - '.checkpoint.com/documents/'
            - 'SmartConsole_OLH/'
            - 'default.htm#cshid='
    filter_optional_aurora_smartconsole2:
        SourceImage: 'C:\Program Files\internet explorer\iexplore.exe'
        SourceParentImage|startswith:
            - 'C:\Program Files\'
            - 'C:\Program Files (x86)\'
        SourceParentImage|contains|all:
            - '\CheckPoint\SmartConsole\'
            - '\SmartConsole.exe'
    filter_optional_powerpnt:
        # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479
        SourceImage|contains: '\Microsoft Office\'
        SourceImage|endswith: '\POWERPNT.EXE'
        TargetImage: 'C:\Windows\System32\csrss.exe'
    filter_main_null:
        TargetImage: null
    filter_main_empty:
        TargetImage: ''
    filter_optional_onedrive:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|endswith: '\AppData\Local\Microsoft\OneDrive\OneDrive.exe'
    filter_optional_aurora:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|endswith: '\aurora-dashboard.exe'
    filter_optional_officesetup:
        SourceImage: 'C:\Windows\explorer.exe'
        TargetImage|endswith: '\OfficeSetup.exe'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - This rule is best put in testing first in order to create a baseline that reflects the data in your environment.
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/create_remote_thread/create_remote_thread_win_susp_uncommon_source_image.yml