Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
Audit Rules Deleted Via Auditctl
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
Audit Rules Deleted Via Auditctl
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: Audit Rules Deleted Via Auditctl
id: bed26dea-4525-47f4-b24a-76e30e44ffb0
status: experimental
description: |
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems.
This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities.
Removal of audit rules can significantly impair detection of malicious activities on the affected system.
references:
- https://www.atomicredteam.io/atomic-red-team/atomics/T1562.012
- https://linux.die.net/man/8/auditct
author: Mohamed LAKRI
date: 2025-10-17
tags:
- attack.defense-evasion
- attack.t1562.012
logsource:
product: linux
category: process_creation
detection:
selection:
Image|endswith: '/auditctl'
CommandLine|re: '-D'
condition: selection
falsepositives:
- An administrator troubleshooting. Investigate all attempts.
level: high
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/linux/process_creation/proc_creation_lnx_auditctl_clear_rules.yml