Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Disable Security Tools

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Disable Security Tools

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Disable Security Tools
id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0
status: test
description: Detects disabling security tools
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
author: Daniil Yugoslavskiy, oscd.community
date: 2020-10-19
modified: 2021-11-27
tags:
    - attack.defense-evasion
    - attack.t1562.001
logsource:
    category: process_creation
    product: macos
detection:
    launchctl_unload:
        Image: '/bin/launchctl'
        CommandLine|contains: 'unload'
    security_plists:
        CommandLine|contains:
            - 'com.objective-see.lulu.plist'                     # Objective-See firewall management utility
            - 'com.objective-see.blockblock.plist'               # Objective-See persistence locations watcher/blocker
            - 'com.google.santad.plist'                          # google santa
            - 'com.carbonblack.defense.daemon.plist'             # carbon black
            - 'com.carbonblack.daemon.plist'                     # carbon black
            - 'at.obdev.littlesnitchd.plist'                     # Objective Development Software firewall management utility
            - 'com.tenablesecurity.nessusagent.plist'            # Tenable Nessus
            - 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella
            - 'com.crowdstrike.falcond.plist'                    # Crowdstrike Falcon
            - 'com.crowdstrike.userdaemon.plist'                 # Crowdstrike Falcon
            - 'osquery'                                          # facebook osquery
            - 'filebeat'                                         # elastic log file shipper
            - 'auditbeat'                                        # elastic auditing agent/log shipper
            - 'packetbeat'                                       # elastic network logger/shipper
            - 'td-agent'                                         # fluentd log shipper
    disable_gatekeeper:
        Image: '/usr/sbin/spctl'
        CommandLine|contains: 'disable'
    condition: (launchctl_unload and security_plists) or disable_gatekeeper
falsepositives:
    - Legitimate activities
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/macos/process_creation/proc_creation_macos_disable_security_tools.yml