Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
HackTool - Doppelanger LSASS Dumper Execution
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
HackTool - Doppelanger LSASS Dumper Execution
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: HackTool - Doppelanger LSASS Dumper Execution
id: d474c8fe-bb69-4ea0-b7d9-f682b56d52d3
status: experimental
description: Detects the execution of the Doppelanger hacktool which is used to dump LSASS memory via process cloning while evading common detection methods
references:
- https://labs.yarix.com/2025/06/doppelganger-an-advanced-lsass-dumper-with-process-cloning/
- https://github.com/vari-sh/RedTeamGrimoire/tree/668e0357072546065729ad623f8c02f7be21bb08/Doppelganger
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-07-01
tags:
- attack.credential-access
- attack.t1003.001
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\Doppelganger.exe'
- Hashes|contains:
- 'IMPHASH=AB94D5217896ADCD765A06B2D52F0AEB'
- 'IMPHASH=65F0EA61156EE0C2A35421926F0C7F78'
condition: selection
falsepositives:
- Unknown
level: high
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_hktl_doppelganger.yml