Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Files With System Process Name In Unsuspected Locations
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Files With System Process Name In Unsuspected Locations
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Files With System Process Name In Unsuspected Locations
id: d5866ddf-ce8f-4aea-b28e-d96485a20d3d
status: test
description: |
Detects the creation of an executable with a system process name in folders other than the system ones (System32, SysWOW64, etc.).
It is highly recommended to perform an initial baseline before using this rule in production.
references:
- Internal Research
author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems)
date: 2020-05-26
modified: 2026-02-04
tags:
- attack.defense-evasion
- attack.t1036.005
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|endswith:
- '\AtBroker.exe'
- '\audiodg.exe'
- '\backgroundTaskHost.exe'
- '\bcdedit.exe'
- '\bitsadmin.exe'
- '\cmdl32.exe'
- '\cmstp.exe'
- '\conhost.exe'
- '\csrss.exe'
- '\dasHost.exe'
- '\dfrgui.exe'
- '\dllhost.exe'
- '\dwm.exe'
- '\eventcreate.exe'
- '\eventvwr.exe'
- '\explorer.exe'
- '\extrac32.exe'
- '\fontdrvhost.exe'
- '\fsquirt.exe' # was seen used by sidewinder APT - https://securelist.com/sidewinder-apt/114089/
- '\ipconfig.exe'
- '\iscsicli.exe'
- '\iscsicpl.exe'
- '\logman.exe'
- '\LogonUI.exe'
- '\LsaIso.exe'
- '\lsass.exe'
- '\lsm.exe'
- '\msiexec.exe'
- '\msinfo32.exe'
- '\mstsc.exe'
- '\nbtstat.exe'
- '\odbcconf.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regini.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\RuntimeBroker.exe'
- '\schtasks.exe'
- '\SearchFilterHost.exe'
- '\SearchIndexer.exe'
- '\SearchProtocolHost.exe'
- '\SecurityHealthService.exe'
- '\SecurityHealthSystray.exe'
- '\services.exe'
- '\ShellAppRuntime.exe'
- '\sihost.exe'
- '\smartscreen.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\SystemSettingsBroker.exe'
- '\taskhost.exe'
- '\taskhostw.exe'
- '\Taskmgr.exe'
- '\TiWorker.exe'
- '\vssadmin.exe'
- '\w32tm.exe'
- '\WerFault.exe'
- '\WerFaultSecure.exe'
- '\wermgr.exe'
- '\wevtutil.exe'
- '\wininit.exe'
- '\winlogon.exe'
- '\winrshost.exe'
- '\WinRTNetMUAHostServer.exe'
- '\wlanext.exe'
- '\wlrmdr.exe'
- '\WmiPrvSE.exe'
- '\wslhost.exe'
- '\WSReset.exe'
- '\WUDFHost.exe'
- '\WWAHost.exe'
filter_main_generic:
# Note: It is recommended to use a more robust filter instead of this generic one, to avoid false negatives.
TargetFilename|contains:
# - '\SystemRoot\System32\'
- 'C:\$WINDOWS.~BT\'
- 'C:\$WinREAgent\'
- 'C:\Windows\SoftwareDistribution\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
- 'C:\Windows\WinSxS\'
- 'C:\Windows\uus\'
filter_main_tiworker:
Image|endswith:
- '\TiWorker.exe'
- '\wuaucltcore.exe'
TargetFilename|startswith: 'C:\Windows\Temp\'
filter_main_svchost:
Image|endswith:
- 'C:\Windows\system32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
TargetFilename|contains:
- 'C:\Program Files\WindowsApps\'
- 'C:\Program Files (x86)\WindowsApps\'
- '\AppData\Local\Microsoft\WindowsApps\'
filter_main_wuauclt:
Image:
- 'C:\Windows\System32\wuauclt.exe'
- 'C:\Windows\SysWOW64\wuauclt.exe'
- 'C:\Windows\UUS\arm64\wuaucltcore.exe'
filter_main_explorer:
TargetFilename|endswith: 'C:\Windows\explorer.exe'
filter_main_msiexec:
# This filter handles system processes who are updated/installed using misexec.
Image|endswith:
- 'C:\WINDOWS\system32\msiexec.exe'
- 'C:\WINDOWS\SysWOW64\msiexec.exe'
# Add more processes if you find them or simply filter msiexec on its own. If the list grows big
TargetFilename|startswith:
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Program Files\PowerShell\7-preview\pwsh.exe'
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview\'
filter_main_healtray:
TargetFilename|contains: 'C:\Windows\System32\SecurityHealth\'
TargetFilename|endswith: '\SecurityHealthSystray.exe'
Image|endswith: '\SecurityHealthSetup.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- System processes copied outside their default folders for testing purposes
- Third party software naming their software with the same names as the processes mentioned here
# Note: Upgrade to high after an initial baseline to your environement.
level: medium
regression_tests_path: regression_data/rules/windows/file/file_event/file_event_win_creation_system_file/info.yml
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/file/file_event/file_event_win_creation_system_file.yml