Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Execution of Suspicious File Type Extension
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Execution of Suspicious File Type Extension
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Execution of Suspicious File Type Extension
id: c09dad97-1c78-4f71-b127-7edb2b8e491a
status: test
description: |
Detects whether the image specified in a process creation event doesn't refer to an ".exe" (or other known executable extension) file. This can be caused by process ghosting or other unorthodox methods to start a process.
This rule might require some initial baselining to align with some third party tooling in the user environment.
references:
- https://pentestlaboratories.com/2021/12/08/process-ghosting/
author: Max Altgelt (Nextron Systems)
date: 2021-12-09
modified: 2023-11-23
tags:
- attack.defense-evasion
logsource:
category: process_creation
product: windows
detection:
known_image_extension:
Image|endswith:
- '.bin'
- '.cgi'
- '.com'
- '.exe'
- '.scr'
- '.tmp' # sadly many installers use this extension
filter_main_image: # Windows utilities without extension
Image:
- 'System'
- 'Registry'
- 'MemCompression'
- 'vmmem'
filter_main_msi_installers:
Image|contains: ':\Windows\Installer\MSI'
filter_main_driver_store:
Image|contains: ':\Windows\System32\DriverStore\FileRepository\'
filter_main_msi_rollbackfiles:
Image|contains: ':\Config.Msi\'
Image|endswith:
- '.rbf'
- '.rbs'
filter_main_windows_temp:
- ParentImage|contains: ':\Windows\Temp\'
- Image|contains: ':\Windows\Temp\'
filter_main_deleted:
Image|contains: ':\$Extend\$Deleted\'
filter_main_empty:
Image:
- '-'
- ''
filter_main_null:
Image: null
filter_optional_avira:
ParentImage|contains: ':\ProgramData\Avira\'
filter_optional_nvidia:
Image|contains: 'NVIDIA\NvBackend\'
Image|endswith: '.dat'
filter_optional_winpakpro:
Image|contains:
- ':\Program Files (x86)\WINPAKPRO\'
- ':\Program Files\WINPAKPRO\'
Image|endswith: '.ngn'
filter_optional_myq_server:
Image|endswith:
- ':\Program Files (x86)\MyQ\Server\pcltool.dll'
- ':\Program Files\MyQ\Server\pcltool.dll'
filter_optional_wsl:
Image|contains|all:
- '\AppData\Local\Packages\'
- '\LocalState\rootfs\'
filter_optional_lzma_exe:
Image|endswith: '\LZMA_EXE'
filter_optional_firefox:
Image|contains: ':\Program Files\Mozilla Firefox\'
filter_optional_docker:
ParentImage: 'C:\Windows\System32\services.exe'
Image|endswith: 'com.docker.service'
condition: not known_image_extension and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml