Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Potential CVE-2023-23397 Exploitation Attempt - SMB

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Potential CVE-2023-23397 Exploitation Attempt - SMB

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Potential CVE-2023-23397 Exploitation Attempt - SMB
id: de96b824-02b0-4241-9356-7e9b47f04bac
status: test
description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
references:
    - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
    - https://github.com/nasbench/Misc-Research/blob/fc46f6da34ff7e0076da28fd3e66d6e1100f1c2f/ETW/Microsoft-Windows-SMBClient.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-05
modified: 2025-10-13
tags:
    - attack.exfiltration
    - cve.2023-23397
    - detection.emerging-threats
logsource:
    product: windows
    service: smbclient-connectivity
detection:
    selection:
        # Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names"
        EventID:
            # - 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field)
            - 30803 # Failed to establish a network connection.
            - 30804 # A network connection was disconnected.
            - 30806 # The client re-established its session to the server.
            # - 31001 # Error (Doesn't contain the "ServerAddress" field)
    filter_main_local_ips:
        - ServerAddress|cidr:
              # IPv4
              - '10.0.0.0/8'
              - '127.0.0.0/8'
              - '169.254.0.0/16'
              - '172.16.0.0/12'
              - '192.168.0.0/16'
              # IPv6
              - '::1/128'  # IPv6 loopback
              - 'fe80::/10'  # IPv6 link-local addresses
              - 'fc00::/7'  # IPv6 private addresses
        - Address|startswith:
        # This is for EventID 30804, which doesn't have the "ServerAddress" field, but a field called "Address" and it contains a socket address (IP:Port) and not an IP
              # IPv4
              - '10.'
              - '127.'
              - '169.254.'
              - '172.'
              - '192.168.'
              # IPv6
              - '::1'
              - 'fe80::'
              - 'fc00::'
        # The filters below cover the XML raw log
        - Address|contains:
              # IPv6
              - '00000000000000000000000000000001' # ::1 - IPv6 loopback
              - 'FE80000000000000' # fe80:: - IPv6 link-local addresses
              - 'FC00000000000000' # fc00:: - IPv6 private addresses
              # IPv4
              # The "?" are meant to represent the port
              - '0200????C0A8' # 192.168.
              - '0200????AC' # 172.
              - '0200????0A' # 10.
              - '0200????7F' # 127
              - '0200????A9FE' # 169.254.
        - ServerAddress|contains:
              # IPv6
              - '00000000000000000000000000000001' # ::1 - IPv6 loopback
              - 'FE80000000000000' # fe80:: - IPv6 link-local addresses
              - 'FC00000000000000' # fc00:: - IPv6 private addresses
              # IPv4
              # The "?" are meant to represent the port
              - '0200????C0A8' # 192.168.
              - '0200????AC' # 172.
              - '0200????0A' # 10.
              - '0200????7F' # 127
              - '0200????A9FE' # 169.254.
        - RemoteAddress|contains:
              # IPv6
              - '00000000000000000000000000000001' # ::1 - IPv6 loopback
              - 'FE80000000000000' # fe80:: - IPv6 link-local addresses
              - 'FC00000000000000' # fc00:: - IPv6 private addresses
              # IPv4
              # The "?" are meant to represent the port
              - '0200????C0A8' # 192.168.
              - '0200????AC' # 172.
              - '0200????0A' # 10.
              - '0200????7F' # 127
              - '0200????A9FE' # 169.254.
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Some false positives may occur from external trusted servers. Apply additional filters accordingly
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml