Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
HackTool - Generic Process Access
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
HackTool - Generic Process Access
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: HackTool - Generic Process Access
id: d0d2f720-d14f-448d-8242-51ff396a334e
status: test
description: Detects process access requests from hacktool processes based on their default image name
references:
- https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158
- https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html
author: Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel
date: 2023-11-27
tags:
- attack.credential-access
- attack.t1003.001
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
- SourceImage|endswith:
- '\Akagi.exe'
- '\Akagi64.exe'
- '\atexec_windows.exe'
- '\Certify.exe'
- '\Certipy.exe'
- '\CoercedPotato.exe'
- '\crackmapexec.exe'
- '\CreateMiniDump.exe'
- '\dcomexec_windows.exe'
- '\dpapi_windows.exe'
- '\findDelegation_windows.exe'
- '\GetADUsers_windows.exe'
- '\GetNPUsers_windows.exe'
- '\getPac_windows.exe'
- '\getST_windows.exe'
- '\getTGT_windows.exe'
- '\GetUserSPNs_windows.exe'
- '\gmer.exe'
- '\hashcat.exe'
- '\htran.exe'
- '\ifmap_windows.exe'
- '\impersonate.exe'
- '\Inveigh.exe'
- '\LocalPotato.exe'
- '\mimikatz_windows.exe'
- '\mimikatz.exe'
- '\netview_windows.exe'
- '\nmapAnswerMachine_windows.exe'
- '\opdump_windows.exe'
- '\PasswordDump.exe'
- '\Potato.exe'
- '\PowerTool.exe'
- '\PowerTool64.exe'
- '\psexec_windows.exe'
- '\PurpleSharp.exe'
- '\pypykatz.exe'
- '\QuarksPwDump.exe'
- '\rdp_check_windows.exe'
- '\Rubeus.exe'
- '\SafetyKatz.exe'
- '\sambaPipe_windows.exe'
- '\SelectMyParent.exe'
- '\SharpChisel.exe'
- '\SharPersist.exe'
- '\SharpEvtMute.exe'
- '\SharpImpersonation.exe'
- '\SharpLDAPmonitor.exe'
- '\SharpLdapWhoami.exe'
- '\SharpUp.exe'
- '\SharpView.exe'
- '\smbclient_windows.exe'
- '\smbserver_windows.exe'
- '\sniff_windows.exe'
- '\sniffer_windows.exe'
- '\split_windows.exe'
- '\SpoolSample.exe'
- '\Stracciatella.exe'
- '\SysmonEOP.exe'
- '\temp\rot.exe'
- '\ticketer_windows.exe'
- '\TruffleSnout.exe'
- '\winPEASany_ofs.exe'
- '\winPEASany.exe'
- '\winPEASx64_ofs.exe'
- '\winPEASx64.exe'
- '\winPEASx86_ofs.exe'
- '\winPEASx86.exe'
- '\xordump.exe'
- SourceImage|contains:
- '\goldenPac'
- '\just_dce_'
- '\karmaSMB'
- '\kintercept'
- '\LocalPotato'
- '\ntlmrelayx'
- '\rpcdump'
- '\samrdump'
- '\secretsdump'
- '\smbexec'
- '\smbrelayx'
- '\wmiexec'
- '\wmipersist'
- 'HotPotato'
- 'Juicy Potato'
- 'JuicyPotato'
- 'PetitPotam'
- 'RottenPotato'
condition: selection
falsepositives:
- Unlikely
level: high
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/process_access/proc_access_win_hktl_generic_access.yml