Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Potentially Suspicious Office Document Executed From Trusted Location

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Potentially Suspicious Office Document Executed From Trusted Location

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Potentially Suspicious Office Document Executed From Trusted Location
id: f99abdf0-6283-4e71-bd2b-b5c048a94743
status: test
description: Detects the execution of an Office application that points to a document that is located in a trusted location. Attackers often used this to avoid macro security and execute their malicious code.
references:
    - Internal Research
    - https://twitter.com/Max_Mal_/status/1633863678909874176
    - https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465
    - https://twitter.com/_JohnHammond/status/1588155401752788994
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-21
modified: 2023-10-18
tags:
    - attack.defense-evasion
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        # Note: we add a parent shell to reduce FP. Add additional 3rd party shells that you might use
        ParentImage|endswith:
            - '\explorer.exe'
            - '\dopus.exe'
    selection_img:
        - Image|endswith:
              - '\EXCEL.EXE'
              - '\POWERPNT.EXE'
              - '\WINWORD.exe'
        - OriginalFileName:
              - 'Excel.exe'
              - 'POWERPNT.EXE'
              - 'WinWord.exe'
    selection_trusted_location:
        CommandLine|contains:
            # Note: these are the default locations. Admins/Users could add additional ones that you need to cover
            - '\AppData\Roaming\Microsoft\Templates'
            - '\AppData\Roaming\Microsoft\Word\Startup\'
            - '\Microsoft Office\root\Templates\'
            - '\Microsoft Office\Templates\'
    filter_main_dotx:
        # Note: We add this filter to avoid curious people clicking on template files
        CommandLine|endswith:
            - '.dotx'
            - '.xltx'
            - '.potx'
    condition: all of selection_* and not 1 of filter_main_*
falsepositives:
    - Unknown
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml