Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

PrinterNightmare Mimikatz Driver Name

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

PrinterNightmare Mimikatz Driver Name

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: PrinterNightmare Mimikatz Driver Name
id: ba6b9e43-1d45-4d3c-a504-1043a64c8469
status: test
description: Detects static QMS 810 and mimikatz driver name used by Mimikatz as exploited in CVE-2021-1675 and CVE-2021-34527
references:
    - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760
    - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf
    - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913
    - https://nvd.nist.gov/vuln/detail/cve-2021-1675
    - https://nvd.nist.gov/vuln/detail/cve-2021-34527
author: Markus Neis, @markus_neis, Florian Roth
date: 2021-07-04
modified: 2023-06-12
tags:
    - attack.execution
    - attack.t1204
    - cve.2021-1675
    - cve.2021-34527
    - detection.emerging-threats
logsource:
    product: windows
    category: registry_event
detection:
    selection:
        TargetObject|contains:
            - '\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\'
            - '\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz'
    selection_alt:
        TargetObject|contains|all:
            - 'legitprinter'
            - '\Control\Print\Environments\Windows'
    selection_print:
        TargetObject|contains:
            - '\Control\Print\Environments'
            - '\CurrentVersion\Print\Printers'
    selection_kiwi:
        TargetObject|contains:
            - 'Gentil Kiwi'
            - 'mimikatz printer'
            - 'Kiwi Legit Printer'
    condition: selection or selection_alt or (selection_print and selection_kiwi)
falsepositives:
    - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely)
level: critical

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2021/Exploits/CVE-2021-1675/registry_event_cve_2021_1675_mimikatz_printernightmare_drivers.yml