Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Suspicious Execution Of Renamed Sysinternals Tools - Registry

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Suspicious Execution Of Renamed Sysinternals Tools - Registry

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Suspicious Execution Of Renamed Sysinternals Tools - Registry
id: f50f3c09-557d-492d-81db-9064a8d4e211
related:
    - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
      type: derived
    - id: 8023f872-3f1d-4301-a384-801889917ab4
      type: similar
status: test
description: Detects the creation of the "accepteula" key related to the Sysinternals tools being created from executables with the wrong name (e.g. a renamed Sysinternals tool)
references:
    - Internal Research
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-24
modified: 2025-10-26
tags:
    - attack.resource-development
    - attack.t1588.002
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains:
            # Please add new values while respecting the alphabetical order
            - '\Active Directory Explorer'
            - '\Handle'
            - '\LiveKd'
            - '\ProcDump'
            - '\Process Explorer'
            - '\PsExec'
            - '\PsLoggedon'
            - '\PsLoglist'
            - '\PsPasswd'
            - '\PsPing'
            - '\PsService'
            - '\SDelete'
        TargetObject|endswith: '\EulaAccepted'
    filter:
        Image|endswith:
            # Please add new values while respecting the alphabetical order
            - '\ADExplorer.exe'
            - '\ADExplorer64.exe'
            - '\handle.exe'
            - '\handle64.exe'
            - '\livekd.exe'
            - '\livekd64.exe'
            - '\procdump.exe'
            - '\procdump64.exe'
            - '\procexp.exe'
            - '\procexp64.exe'
            - '\PsExec.exe'
            - '\PsExec64.exe'
            - '\PsLoggedon.exe'
            - '\PsLoggedon64.exe'
            - '\psloglist.exe'
            - '\psloglist64.exe'
            - '\pspasswd.exe'
            - '\pspasswd64.exe'
            - '\PsPing.exe'
            - '\PsPing64.exe'
            - '\PsService.exe'
            - '\PsService64.exe'
            - '\sdelete.exe'
    condition: selection and not filter
falsepositives:
    - Unlikely
level: high
regression_tests_path: regression_data/rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula/info.yml

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/registry/registry_set/registry_set_pua_sysinternals_renamed_execution_via_eula.yml