Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Forest Blizzard APT - File Creation Activity

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Forest Blizzard APT - File Creation Activity

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Forest Blizzard APT - File Creation Activity
id: b92d1d19-f5c9-4ed6-bbd5-7476709dc389
status: test
description: |
    Detects the creation of specific files inside of ProgramData directory.
    These files were seen being created by Forest Blizzard as described by MSFT.
references:
    - https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-04-23
modified: 2024-07-11
tags:
    - attack.defense-evasion
    - attack.t1562.002
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection_programdata_driver_store:
        TargetFilename|startswith:
            - 'C:\ProgramData\Microsoft\v'
            - 'C:\ProgramData\Adobe\v'
            - 'C:\ProgramData\Comms\v'
            - 'C:\ProgramData\Intel\v'
            - 'C:\ProgramData\Kaspersky Lab\v'
            - 'C:\ProgramData\Bitdefender\v'
            - 'C:\ProgramData\ESET\v'
            - 'C:\ProgramData\NVIDIA\v'
            - 'C:\ProgramData\UbiSoft\v'
            - 'C:\ProgramData\Steam\v'
        TargetFilename|contains:
            - '\prnms003.inf_'
            - '\prnms009.inf_'
    selection_programdata_main:
        TargetFilename|startswith: 'C:\ProgramData\'
    selection_programdata_files_1:
        TargetFilename|endswith:
            - '.save'
            - '\doit.bat'
            - '\execute.bat'
            - '\servtask.bat'
        # Hashes|contains: '7d51e5cc51c43da5deae5fbc2dce9b85c0656c465bb25ab6bd063a503c1806a9' # Uncommon this if you collect hash information inf file events
    selection_programdata_files_2:
        TargetFilename|contains: '\wayzgoose'
        TargetFilename|endswith: '.dll'
    condition: selection_programdata_driver_store or (selection_programdata_main and 1 of selection_programdata_files_*)
falsepositives:
    - Unlikely
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_activity.yml