Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Mint Sandstorm - AsperaFaspex Suspicious Process Execution
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Mint Sandstorm - AsperaFaspex Suspicious Process Execution
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Mint Sandstorm - AsperaFaspex Suspicious Process Execution
id: 91048c0d-5b81-4b85-a099-c9ee4fb87979
status: test
description: Detects suspicious execution from AsperaFaspex as seen used by Mint Sandstorm
references:
- https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/
author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea)
date: 2023-04-20
modified: 2025-10-19
tags:
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains|all:
- 'aspera'
- '\ruby'
selection_special_child_powershell_img:
Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
selection_special_child_powershell_cli:
- CommandLine|contains:
- ' echo '
- '-dumpmode'
- '-ssh'
- '.dmp'
- 'add-MpPreference'
- 'adscredentials'
- 'bitsadmin'
- 'certutil'
- 'csvhost.exe'
- 'DownloadFile'
- 'DownloadString'
- 'dsquery'
- 'ekern.exe'
- 'FromBase64String'
- 'iex '
- 'iex('
- 'Invoke-Expression'
- 'Invoke-WebRequest'
- 'localgroup administrators'
- 'o365accountconfiguration'
- 'samaccountname='
- 'set-MpPreference'
- 'svhost.exe'
- 'System.IO.Compression'
- 'System.IO.MemoryStream'
- 'usoprivate'
- 'usoshared'
- 'whoami'
- CommandLine|re:
- '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}'
- 'net\s+user'
- 'net\s+group'
- 'query\s+session'
selection_special_child_lsass_1:
CommandLine|contains: 'lsass'
selection_special_child_lsass_2:
CommandLine|contains:
- 'procdump'
- 'tasklist'
- 'findstr'
selection_child_wget:
Image|endswith: '\wget.exe'
CommandLine|contains: 'http'
selection_child_curl:
Image|endswith: '\curl.exe'
CommandLine|contains: 'http'
selection_child_script:
CommandLine|contains:
- 'E:jscript'
- 'e:vbscript'
selection_child_localgroup:
CommandLine|contains|all:
- 'localgroup Administrators'
- '/add'
selection_child_net:
CommandLine|contains: 'net' # Covers net1
CommandLine|contains|all:
- 'user'
- '/add'
selection_child_reg:
- CommandLine|contains|all:
- 'reg add'
- 'DisableAntiSpyware'
- '\Microsoft\Windows Defender'
- CommandLine|contains|all:
- 'reg add'
- 'DisableRestrictedAdmin'
- 'CurrentControlSet\Control\Lsa'
selection_child_wmic_1:
CommandLine|contains|all:
- 'wmic'
- 'process call create'
selection_child_wmic_2:
CommandLine|contains|all:
- 'wmic'
- 'delete'
- 'shadowcopy'
selection_child_vssadmin:
CommandLine|contains|all:
- 'vssadmin'
- 'delete'
- 'shadows'
selection_child_wbadmin:
CommandLine|contains|all:
- 'wbadmin'
- 'delete'
- 'catalog'
condition: selection_parent and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*)
falsepositives:
- Unlikely
level: critical
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml