Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

DarkGate - Drop DarkGate Loader In C:\Temp Directory

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

DarkGate - Drop DarkGate Loader In C:\Temp Directory

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: DarkGate - Drop DarkGate Loader In C:\Temp Directory
id: df49c691-8026-48dd-94d3-4ba6a79102a8
status: test
description: Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
references:
    - https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/
    - https://www.trendmicro.com/en_us/research/24/c/cve-2024-21412--darkgate-operators-exploit-microsoft-windows-sma.html
author: Tomasz Dyduch, Josh Nickels
date: 2024-05-31
tags:
    - attack.execution
    - attack.t1059
    - detection.emerging-threats
logsource:
    category: file_event
    product: windows
detection:
    selection_filename_suffix:
        TargetFilename|contains: ':\temp\'
        TargetFilename|endswith:
            - '.au3'
            - '\autoit3.exe'
    selection_image_suffix:
        Image|contains: ':\temp\'
        Image|endswith:
            - '.au3'
            - '\autoit3.exe'
    condition: 1 of selection_*
falsepositives:
    - Unlikely legitimate usage of AutoIT in temp folders.
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules-emerging-threats/2024/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_save_temp.yml