Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse Rules Explore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

Live from sigconverter.io

CLI Versions

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Windows Default Domain GPO Modification via GPME

sigma-cli version

Backend

Format

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Windows Default Domain GPO Modification via GPME

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2

title: Windows Default Domain GPO Modification via GPME
id: dcff7e85-d01f-4eb5-badd-84e2e6be8294
related:
    - id: e5ac86dd-2da1-454b-be74-05d26c769d7d
      type: similar
status: experimental
description: |
    Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs).
    Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion.
references:
    - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html
    - https://adsecurity.org/?p=3377
    - https://sdmsoftware.com/general-stuff/launching-the-new-gp-management-editor-from-the-command-line/
    - https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/
author: TropChaud
date: 2025-11-22
tags:
    - attack.defense-evasion
    - attack.privilege-escalation
    - attack.t1484.001
logsource:
    product: windows
    category: process_creation
detection:
    # "C:\Windows\System32\gpme.msc" /s /gpobject:"LDAP://<REDACTED>/cn<REDACTED>,cnpolicies,cnsystem,DC<REDACTED>,DClocal"
    selection_mmc:
        - Image|endswith: '\mmc.exe'
        - OriginalFileName: 'MMC.exe'
    selection_gpme:
        CommandLine|contains|all:
            - 'gpme.msc'
            - 'gpobject:'
    selection_default_gpos:
        CommandLine|contains:
            - '31B2F340-016D-11D2-945F-00C04FB984F9' # Default Domain Policy GUID
            - '6AC1786C-016F-11D2-945F-00C04FB984F9' # Default Domain Controllers Policy GUID
    condition: all of selection_*
falsepositives:
    - Legitimate use of GPME to modify GPOs
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_mmc_default_domain_gpo_modification_via_gpme.yml