Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Outbound RDP Connections Over Non-Standard Tools

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Outbound RDP Connections Over Non-Standard Tools

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Outbound RDP Connections Over Non-Standard Tools
id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
status: test
description: |
    Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement.
    An initial baseline is required before using this utility to exclude third party RDP tooling that you might use.
references:
    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
author: Markus Neis
date: 2019-05-15
modified: 2024-02-09
tags:
    - attack.lateral-movement
    - attack.t1021.001
    - car.2013-07-002
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationPort: 3389
        Initiated: 'true'
    filter_main_mstsc:
        Image:
            - 'C:\Windows\System32\mstsc.exe'
            - 'C:\Windows\SysWOW64\mstsc.exe'
    filter_optional_dns:
        # Note: https://github.com/SigmaHQ/sigma/pull/2249
        Image: 'C:\Windows\System32\dns.exe'
        SourcePort: 53
        Protocol: 'udp'
    filter_optional_avast:
        Image|endswith:
            - '\Avast Software\Avast\AvastSvc.exe'
            - '\Avast\AvastSvc.exe'
    filter_optional_sysinternals_rdcman:
        Image|endswith: '\RDCMan.exe'
    filter_optional_chrome:
        Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe'
    filter_optional_third_party:
        Image|endswith:
            - '\FSAssessment.exe'
            - '\FSDiscovery.exe'
            - '\MobaRTE.exe'
            - '\mRemote.exe'
            - '\mRemoteNG.exe'
            - '\Passwordstate.exe'
            - '\RemoteDesktopManager.exe'
            - '\RemoteDesktopManager64.exe'
            - '\RemoteDesktopManagerFree.exe'
            - '\RSSensor.exe'
            - '\RTS2App.exe'
            - '\RTSApp.exe'
            - '\spiceworks-finder.exe'
            - '\Terminals.exe'
            - '\ws_TunnelService.exe'
    filter_optional_thor:
        Image|endswith:
            - '\thor.exe'
            - '\thor64.exe'
    filter_optional_splunk:
        Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\'
    filter_optional_sentinel_one:
        Image|endswith: '\Ranger\SentinelRanger.exe'
    filter_optional_firefox:
        Image: 'C:\Program Files\Mozilla Firefox\firefox.exe'
    filter_optional_tsplus:  # Some RAS
        Image:
            - 'C:\Program Files\TSplus\Java\bin\HTML5service.exe'
            - 'C:\Program Files (x86)\TSplus\Java\bin\HTML5service.exe'
    filter_optional_null:
        Image: null
    filter_optional_empty:
        Image: ''
    filter_optional_unknown:
        Image: '<unknown process>'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Third party RDP tools
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml