Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
id: 6fe1719e-ecdf-4caf-bffe-4f501cb0a561
status: stable
description: Detects the suspicious file that is created from PoC code against Windows Print Spooler Remote Code Execution Vulnerability CVE-2021-34527 (PrinterNightmare), CVE-2021-1675 .
references:
    - https://twitter.com/mvelazco/status/1410291741241102338
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1675
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
author: Sittikorn S, Nuttakorn T, Tim Shelton
date: 2021-07-01
modified: 2023-10-23
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1055
    - detection.emerging-threats
    - cve.2021-34527
    - cve.2021-1675
logsource:
    category: antivirus
detection:
    selection:
        Filename|contains: ':\Windows\System32\spool\drivers\x64\'
    keywords:
        - 'File submitted to Symantec' # symantec fp, pending analysis, more generic
    condition: selection and not keywords
falsepositives:
    - Unlikely, or pending PSP analysis
level: critical

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_exploit_cve_2021_34527_print_nightmare.yml