Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Suspicious Cabinet File Execution Via Msdt.EXE

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Suspicious Cabinet File Execution Via Msdt.EXE

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Suspicious Cabinet File Execution Via Msdt.EXE
id: dc4576d4-7467-424f-9eee-fd2b02855fe0
related:
    - id: 6545ce61-a1bd-4119-b9be-fcbee42c0cf3
      type: obsolete
status: test
description: Detects execution of msdt.exe using the "cab" flag which could indicates suspicious diagcab files with embedded answer files leveraging CVE-2022-30190
references:
    - https://twitter.com/nas_bench/status/1537896324837781506
    - https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab
    - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0
    - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
author: Nasreddine Bencherchali (Nextron Systems), GossiTheDog, frack113
date: 2022-06-21
modified: 2024-03-13
tags:
    - attack.defense-evasion
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\msdt.exe'
        - OriginalFileName: 'msdt.exe'
    selection_cmd:
        CommandLine|contains|windash: ' -cab '
    condition: all of selection_*
falsepositives:
    - Legitimate usage of ".diagcab" files
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml