Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse Rules Explore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

Live from sigconverter.io

CLI Versions

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Suspicious Double Extension Files

sigma-cli version

Backend

Format

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Suspicious Double Extension Files

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2

title: Suspicious Double Extension Files
id: b4926b47-a9d7-434c-b3a0-adc3fa0bd13e
related:
    - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
      type: derived
    - id: 3215aa19-f060-4332-86d5-5602511f3ca8
      type: similar
status: test
description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default.
references:
    - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
    - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
    - https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles
    - https://twitter.com/malwrhunterteam/status/1235135745611960321
    - https://twitter.com/luc4m/status/1073181154126254080
    - https://cloud.google.com/blog/topics/threat-intelligence/cybercriminals-weaponize-fake-ai-websites
    - https://vipre.com/blog/svg-phishing-attacks-the-new-trick-in-the-cybercriminals-playbook/
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2022-06-19
modified: 2026-03-31
tags:
    - attack.defense-evasion
    - attack.t1036.007
logsource:
    category: file_event
    product: windows
detection:
    selection_gen:
        TargetFilename|endswith:
            - '.exe'
            - '.iso'
            - '.rar'
            - '.svg'
            - '.zip'
            # - '.lnk'  # legitimate links can happen just anywhere
        TargetFilename|contains:
            - '.doc.'
            - '.docx.'
            - '.gif.'
            - '.jpeg.'
            - '.jpg.'
            - '.mp3.'
            - '.mp4.'
            - '.pdf.'
            - '.png.'
            - '.ppt.'
            - '.pptx.'
            - '.rtf.'
            - '.svg.'
            - '.txt.'
            - '.xls.'
            - '.xlsx.'
    selection_exe:
        TargetFilename|endswith:
            - '.rar.exe'
            - '.zip.exe'
    # Note: If you wanna keep using the ".lnk" extension. You might uncomment this filter and add additional locations
    # filter_main_lnk:
    #     TargetFilename|contains:
    #         - '\AppData\Roaming\Microsoft\Office\Recent\'
    #         - '\AppData\Roaming\Microsoft\Windows\Recent\'
    filter_icons_linux:
        TargetFilename|startswith: '/usr/share/icons/'
    condition: 1 of selection_* and not 1 of filter_*
falsepositives:
    - Unlikely
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/file/file_event/file_event_win_susp_double_extension.yml