Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse Rules Explore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

Live from sigconverter.io

CLI Versions

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Antivirus Password Dumper Detection

sigma-cli version

Backend

Format

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Antivirus Password Dumper Detection

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2

title: Antivirus Password Dumper Detection
id: 78cc2dd2-7d20-4d32-93ff-057084c38b93
status: stable
description: |
    Detects a highly relevant Antivirus alert that reports a password dumper.
    This event must not be ignored just because the AV has blocked the malware but investigate, how it came there in the first place.
references:
    - https://www.nextron-systems.com/?s=antivirus
    - https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619
    - https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448
author: Florian Roth (Nextron Systems), Arnim Rupp
date: 2018-09-09
modified: 2024-11-02
tags:
    - attack.credential-access
    - attack.t1003
    - attack.t1558
    - attack.t1003.001
    - attack.t1003.002
logsource:
    category: antivirus
detection:
    selection:
        - Signature|startswith: 'PWS'
        - Signature|contains:
              - 'Certify'
              - 'DCSync'
              - 'DumpCreds'
              - 'DumpLsass'
              - 'DumpPert'
              - 'HTool/WCE'
              - 'Kekeo'
              - 'Lazagne'
              - 'LsassDump'
              - 'Mimikatz'
              - 'MultiDump'
              - 'Nanodump'
              - 'NativeDump'
              - 'Outflank'
              - 'PShlSpy'
              - 'PSWTool'
              - 'PWCrack'
              - 'PWDump'
              - 'PWS.'
              - 'PWSX'
              - 'pypykatz'
              - 'Rubeus'
              - 'SafetyKatz'
              - 'SecurityTool'
              - 'SharpChrome'
              - 'SharpDPAPI'
              - 'SharpDump'
              - 'SharpKatz'
              - 'SharpS.' # Sharpsploit, e.g. 530ea2ff9049f5dfdfa0a2e9c27c2e3c0685eb6cbdf85370c20a7bfae49f592d
              - 'ShpKatz'
              - 'TrickDump'
    condition: selection
falsepositives:
    - Unlikely
level: critical

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/category/antivirus/av_password_dumper.yml