Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Potential Compromised 3CXDesktopApp Execution
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Potential Compromised 3CXDesktopApp Execution
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Potential Compromised 3CXDesktopApp Execution
id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c
related:
- id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
type: similar
- id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
type: similar
- id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
type: similar
- id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
type: similar
- id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
type: similar
- id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
type: similar
- id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
type: similar
status: test
description: Detects execution of known compromised version of 3CXDesktopApp
references:
- https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-29
modified: 2024-11-23
tags:
- attack.defense-evasion
- attack.t1218
- attack.execution
- detection.emerging-threats
logsource:
category: process_creation
product: windows
detection:
selection_hashes:
Hashes|contains:
# 3CX Desktop 18.12.407
- 'SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
- 'SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02'
- 'SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE'
- 'SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859'
- 'SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187'
- 'SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA'
- 'MD5=BB915073385DD16A846DFA318AFA3C19'
- 'MD5=08D79E1FFFA244CC0DC61F7D2036ACA9'
- 'MD5=4965EDF659753E3C05D800C6C8A23A7A'
# 3CX Desktop 18.12.416
- 'SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405'
- 'SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734'
- 'SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203'
- 'SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1'
- 'SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB'
- 'SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5'
- 'MD5=9833A4779B69B38E3E51F04E395674C6'
- 'MD5=704DB9184700481A56E5100FB56496CE'
- 'MD5=8EE6802F085F7A9DF7E0303E65722DC0'
# 3CXDesktopApp MSI
- 'SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868'
- 'SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983'
- 'SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA'
- 'SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
- 'MD5=F3D4144860CA10BA60F7EF4D176CC736'
- 'MD5=0EEB1C0133EB4D571178B2D9D14CE3E9'
selection_pe_1:
- OriginalFileName: '3CXDesktopApp.exe'
- Image|endswith: '\3CXDesktopApp.exe'
- Product: '3CX Desktop App'
selection_pe_2:
FileVersion|contains: '18.12.'
condition: all of selection_pe_* or selection_hashes
falsepositives:
- Legitimate usage of 3CXDesktopApp
level: high
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2023/TA/3CX-Supply-Chain/proc_creation_win_malware_3cx_compromise_execution.yml