Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
PUA - Process Hacker Driver Load
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
PUA - Process Hacker Driver Load
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: PUA - Process Hacker Driver Load
id: 67add051-9ee7-4ad3-93ba-42935615ae8d
related:
- id: 10cb6535-b31d-4512-9962-513dcbc42cc1
type: similar
status: test
description: Detects driver load of the Process Hacker tool
references:
- https://processhacker.sourceforge.io/
author: Florian Roth (Nextron Systems)
date: 2022-11-16
modified: 2024-11-23
tags:
- attack.persistence
- attack.privilege-escalation
- cve.2021-21551
- attack.t1543
logsource:
category: driver_load
product: windows
detection:
selection:
- ImageLoaded|endswith: '\kprocesshacker.sys'
- Hashes|contains:
- 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77'
- 'IMPHASH=F86759BB4DE4320918615DC06E998A39'
- 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18'
- 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0'
condition: selection
falsepositives:
- Legitimate use of process hacker or system informer by developers or system administrators
level: high
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/driver_load/driver_load_win_pua_process_hacker.yml