Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
PUA - PingCastle Execution From Potentially Suspicious Parent
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
PUA - PingCastle Execution From Potentially Suspicious Parent
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: PUA - PingCastle Execution From Potentially Suspicious Parent
id: b37998de-a70b-4f33-b219-ec36bf433dc0
related:
- id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c
type: derived
status: test
description: |
Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
references:
- https://github.com/vletoux/pingcastle
- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
- https://github.com/fengjixuchui/Start-ADEnum/blob/e237a739db98b6104427d833004836507da36a58/Functions/Start-ADEnum.ps1#L450
- https://github.com/lkys37en/Start-ADEnum/blob/5b42c54215fe5f57fc59abc52c20487d15764005/Functions/Start-ADEnum.ps1#L680
- https://github.com/projectHULK/AD_Recon/blob/dde2daba9b3393a9388cbebda87068972cc0bd3b/SecurityAssessment.ps1#L2699
- https://github.com/802-1x/Compliance/blob/2e53df8b6e89686a0b91116b3f42c8f717dca820/Ping%20Castle/Get-PingCastle-HTMLComplianceReport.ps1#L8
- https://github.com/EvotecIT/TheDashboard/blob/481a9ce8f82f2fd55fe65220ee6486bae6df0c9d/Examples/RunReports/PingCastle.ps1
author: Nasreddine Bencherchali (Nextron Systems), X__Junior (Nextron Systems)
date: 2024-01-11
tags:
- attack.reconnaissance
- attack.t1595
logsource:
category: process_creation
product: windows
detection:
selection_parent_ext:
ParentCommandLine|contains:
- '.bat'
- '.chm'
- '.cmd'
- '.hta'
- '.htm'
- '.html'
- '.js'
- '.lnk'
- '.ps1'
- '.vbe'
- '.vbs'
- '.wsf'
selection_parent_path_1:
ParentCommandLine|contains:
- ':\Perflogs\'
- ':\Temp\'
- ':\Users\Public\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp'
- '\AppData\Roaming\'
- '\Temporary Internet'
selection_parent_path_2:
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Favorites\'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Favourites\'
- ParentCommandLine|contains|all:
- ':\Users\'
- '\Contacts\'
selection_cli:
- Image|endswith: '\PingCastle.exe'
- OriginalFileName: PingCastle.exe
- Product: 'Ping Castle'
- CommandLine|contains:
- '--scanner aclcheck'
- '--scanner antivirus'
- '--scanner computerversion'
- '--scanner foreignusers'
- '--scanner laps_bitlocker'
- '--scanner localadmin'
- '--scanner nullsession'
- '--scanner nullsession-trust'
- '--scanner oxidbindings'
- '--scanner remote'
- '--scanner share'
- '--scanner smb'
- '--scanner smb3querynetwork'
- '--scanner spooler'
- '--scanner startup'
- '--scanner zerologon'
- CommandLine|contains: '--no-enum-limit'
- CommandLine|contains|all:
- '--healthcheck'
- '--level Full'
- CommandLine|contains|all:
- '--healthcheck'
- '--server '
condition: 1 of selection_parent_* and selection_parent_ext and selection_cli
falsepositives:
- Unknown
level: high
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_pua_pingcastle_script_parent.yml