Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Potential COM Object Hijacking Via TreatAs Subkey - Registry

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Potential COM Object Hijacking Via TreatAs Subkey - Registry

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Potential COM Object Hijacking Via TreatAs Subkey - Registry
id: 9b0f8a61-91b2-464f-aceb-0527e0a45020
status: test
description: Detects COM object hijacking via TreatAs subkey
references:
    - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
author: Kutepov Anton, oscd.community
date: 2019-10-23
modified: 2025-10-26
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.015
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains|all:
            - 'HKU\'
            - 'Classes\CLSID\'
            - '\TreatAs'
    filter_main_svchost:
        # Example of target object by svchost
        # TargetObject: HKU\S-1-5-21-1098798288-3663759343-897484398-1001_Classes\CLSID\{0003000A-0000-0000-C000-000000000046}\TreatAs
        Image: 'C:\WINDOWS\system32\svchost.exe'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Maybe some system utilities in rare cases use linking keys for backward compatibility
level: medium
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_persistence_com_key_linking/info.yml
simulation:
    - type: atomic-red-team
      name: COM hijacking via TreatAs
      technique: T1546.015
      atomic_guid: 33eacead-f117-4863-8eb0-5c6304fbfaa9

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/registry/registry_set/registry_set_persistence_com_key_linking.yml