Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse Rules Explore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

Live from sigconverter.io

CLI Versions

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Potential CVE-2022-46169 Exploitation Attempt

sigma-cli version

Backend

Format

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Potential CVE-2022-46169 Exploitation Attempt

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2

title: Potential CVE-2022-46169 Exploitation Attempt
id: 738cb115-881f-4df3-82cc-56ab02fc5192
status: test
description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
references:
    - https://github.com/0xf4n9x/CVE-2022-46169
    - https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf
    - https://github.com/rapid7/metasploit-framework/pull/17407
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-27
modified: 2023-01-02
tags:
    - attack.initial-access
    - attack.t1190
    - cve.2022-46169
    - detection.emerging-threats
logsource:
    category: webserver
detection:
    selection:
        # Check for the presence of the X-FORWARDED-FOR header pointing to the hostname of the server running Cacti (which indicate auth bypass)
        # Check for previous requests indicating the bruteforce of the "local_data_ids" and "host_id"
        cs-method: 'GET'
        cs-uri-query|contains|all:
            - '/remote_agent.php'
            - 'action=polldata'
            - 'poller_id='
        cs-uri-query|contains:
            # From https://github.com/rapid7/metasploit-framework/pull/17407/files#diff-972a47250ccd30b935a59e8871134956a15980df5b29f9d970414646704d5258R288
            # Not tested could be shown in other format (update if you have more info)
            - '| base64 -d | /bin/bash`'
            - '%7C%20base64%20-d%20%7C%20%2Fbin%2Fbash%60' # URL encoded version
            # Add more suspicious commands accordingly
            - '`whoami'
            - 'powershell'
            - 'cmd'
            - 'wget'
    condition: selection
falsepositives:
    - Web vulnerability scanners
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml