Merge PR #5149 from @nasbench - Promote older rules status from `expe…

…rimental` to `test`

chore: promote older rules status from experimental to test

Co-authored-by: nasbench <[email protected]>

rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml

@@ -1,6 +1,6 @@
 title: Exploitation Indicator Of CVE-2022-42475
 id: 293ccb8c-bed8-4868-8296-bef30e303b7e
-status: experimental
+status: test
 description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
 references:
     - https://www.fortiguard.com/psirt/FG-IR-22-398

rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml

@@ -1,6 +1,6 @@
 title: Qakbot Regsvr32 Calc Pattern
 id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9
-status: experimental
+status: test
 description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
 references:
     - https://github.com/pr0xylife/Qakbot/

rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml

@@ -3,7 +3,7 @@ id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1
 related:
     - id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62
       type: similar
-status: experimental
+status: test
 description: |
     This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
 references:

rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml

@@ -3,7 +3,7 @@ id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62
 related:
     - id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1
       type: similar
-status: experimental
+status: test
 description: |
     This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
     This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.

rules-emerging-threats/2024/Exploits/CVE-2024-1709/file_event_win_exploit_cve_2024_1709_user_database_modification_screenconnect.yml

@@ -3,7 +3,7 @@ id: 1a821580-588b-4323-9422-660f7e131020
 related:
     - id: 4109cb6a-a4af-438a-9f0c-056abba41c6f
       type: similar
-status: experimental
+status: test
 description: |
     Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
     This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.

rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml

@@ -1,6 +1,6 @@
 title: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
 id: d27eabad-9068-401a-b0d6-9eac744d6e67
-status: experimental
+status: test
 description: |
     Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
 references:

rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml

@@ -3,7 +3,7 @@ id: 4109cb6a-a4af-438a-9f0c-056abba41c6f
 related:
     - id: 1a821580-588b-4323-9422-660f7e131020
       type: similar
-status: experimental
+status: test
 description: |
     This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
     This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.

rules-emerging-threats/2024/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_rundll32_shell32_cpl_exection.yml

@@ -1,6 +1,6 @@
 title: Potential Raspberry Robin CPL Execution Activity
 id: 92020b88-9caf-464f-bad8-cd0fb0aa2a81
-status: experimental
+status: test
 description: |
     Detects the execution of a ".CPL" file located in the user temp directory via the Shell32 DLL "Control_RunDLL" export function.
     This behavior was observed in multiple Raspberry-Robin variants.

rules-emerging-threats/2024/TA/DPRK/dns_query_win_apt_dprk_malicious_domains.yml

@@ -1,6 +1,6 @@
 title: DPRK Threat Actor - C2 Communication DNS Indicators
 id: 4d16c9a6-4362-4863-9940-1dee35f1d70f
-status: experimental
+status: test
 description: Detects DNS queries for C2 domains used by DPRK Threat actors.
 references:
     - https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-security-advisory-englisch.pdf?__blob=publicationFile&v=2

rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml

@@ -1,6 +1,6 @@
 title: ScreenConnect - SlashAndGrab Exploitation Indicators
 id: 05164d17-8e11-4d7d-973e-9e4962436b87
-status: experimental
+status: test
 description: |
     Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
 references:

rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml

@@ -5,7 +5,7 @@ related:
       type: derived
     - id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
       type: derived
-status: experimental
+status: test
 description: |
     Detects remote binary or command execution via the ScreenConnect Service.
     Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect

rules-threat-hunting/windows/registry/registry_set/registry_set_shell_context_menu_tampering.yml

@@ -1,6 +1,6 @@
 title: Shell Context Menu Command Tampering
 id: 868df2d1-0939-4562-83a7-27408c4a1ada
-status: experimental
+status: test
 description: Detects changes to shell context menu commands. Use this rule to hunt for potential anomalies and suspicious shell commands.
 references:
     - https://mrd0x.com/sentinelone-persistence-via-menu-context/

rules/cloud/aws/cloudtrail/aws_console_getsignintoken.yml

@@ -1,6 +1,6 @@
 title: AWS Console GetSigninToken Potential Abuse
 id: f8103686-e3e8-46f3-be72-65f7fcb4aa53
-status: experimental
+status: test
 description: |
     Detects potentially suspicious events involving "GetSigninToken".
     An adversary using the "aws_consoler" tool can leverage this console API to create temporary federated credential that help obfuscate which AWS credential is compromised (the original access key) and enables the adversary to pivot from the AWS CLI to console sessions without the need for MFA using the new access key issued in this request.

rules/cloud/bitbucket/audit/bitbucket_audit_full_data_export_triggered.yml

@@ -1,6 +1,6 @@
 title: Bitbucket Full Data Export Triggered
 id: 195e1b9d-bfc2-4ffa-ab4e-35aef69815f8
-status: experimental
+status: test
 description: Detects when full data export is attempted.
 references:
     - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

rules/cloud/bitbucket/audit/bitbucket_audit_global_permissions_change_detected.yml

@@ -1,6 +1,6 @@
 title: Bitbucket Global Permission Changed
 id: aac6c4f4-87c7-4961-96ac-c3fd3a42c310
-status: experimental
+status: test
 description: Detects global permissions change activity.
 references:
     - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

rules/cloud/bitbucket/audit/bitbucket_audit_global_secret_scanning_rule_deleted.yml

@@ -1,6 +1,6 @@
 title: Bitbucket Global Secret Scanning Rule Deleted
 id: e16cf0f0-ee88-4901-bd0b-4c8d13d9ee05
-status: experimental
+status: test
 description: Detects Bitbucket global secret scanning rule deletion activity.
 references:
     - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

rules/cloud/bitbucket/audit/bitbucket_audit_global_ssh_settings_change_detected.yml

@@ -1,6 +1,6 @@
 title: Bitbucket Global SSH Settings Changed
 id: 16ab6143-510a-44e2-a615-bdb80b8317fc
-status: experimental
+status: test
 description: Detects Bitbucket global SSH access configuration changes.
 references:
     - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

rules/cloud/bitbucket/audit/bitbucket_audit_log_configuration_update_detected.yml

@@ -1,6 +1,6 @@
 title: Bitbucket Audit Log Configuration Updated
 id: 6aa12161-235a-4dfb-9c74-fe08df8d8da1
-status: experimental
+status: test
 description: Detects changes to the bitbucket audit log configuration.
 references:
     - https://confluence.atlassian.com/bitbucketserver/view-and-configure-the-audit-log-776640417.html

rules/cloud/bitbucket/audit/bitbucket_audit_project_secret_scanning_allowlist_added.yml

@@ -1,6 +1,6 @@
 title: Bitbucket Project Secret Scanning Allowlist Added
 id: 42ccce6d-7bd3-4930-95cd-e4d83fa94a30
-status: experimental
+status: test
 description: Detects when a secret scanning allowlist rule is added for projects.
 references:
     - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_exempt_repository_detected.yml

@@ -1,6 +1,6 @@
 title: Bitbucket Secret Scanning Exempt Repository Added
 id: b91e8d5e-0033-44fe-973f-b730316f23a1
-status: experimental
+status: test
 description: Detects when a repository is exempted from secret scanning feature.
 references:
     - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

rules/cloud/bitbucket/audit/bitbucket_audit_secret_scanning_rule_deleted.yml

@@ -1,6 +1,6 @@
 title: Bitbucket Secret Scanning Rule Deleted
 id: ff91e3f0-ad15-459f-9a85-1556390c138d
-status: experimental
+status: test
 description: Detects when secret scanning rule is deleted for the project or repository.
 references:
     - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_access_detected.yml

@@ -1,6 +1,6 @@
 title: Bitbucket Unauthorized Access To A Resource
 id: 7215374a-de4f-4b33-8ba5-70804c9251d3
-status: experimental
+status: test
 description: Detects unauthorized access attempts to a resource.
 references:
     - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

rules/cloud/bitbucket/audit/bitbucket_audit_unauthorized_full_data_export_triggered.yml

@@ -1,6 +1,6 @@
 title: Bitbucket Unauthorized Full Data Export Triggered
 id: 34d81081-03c9-4a7f-91c9-5e46af625cde
-status: experimental
+status: test
 description: Detects when full data export is attempted an unauthorized user.
 references:
     - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

rules/cloud/bitbucket/audit/bitbucket_audit_user_details_export_attempt_detected.yml

@@ -1,6 +1,6 @@
 title: Bitbucket User Details Export Attempt Detected
 id: 5259cbf2-0a75-48bf-b57a-c54d6fabaef3
-status: experimental
+status: test
 description: Detects user data export activity.
 references:
     - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_detected.yml

@@ -1,6 +1,6 @@
 title: Bitbucket User Login Failure
 id: 70ed1d26-0050-4b38-a599-92c53d57d45a
-status: experimental
+status: test
 description: |
     Detects user authentication failure events.
     Please note that this rule can be noisy and it is recommended to use with correlation based on "author.name" field.

rules/cloud/bitbucket/audit/bitbucket_audit_user_login_failure_via_ssh_detected.yml

@@ -1,6 +1,6 @@
 title: Bitbucket User Login Failure Via SSH
 id: d3f90469-fb05-42ce-b67d-0fded91bbef3
-status: experimental
+status: test
 description: |
     Detects SSH user login access failures.
     Please note that this rule can be noisy and is recommended to use with correlation based on "author.name" field.

rules/cloud/bitbucket/audit/bitbucket_audit_user_permissions_export_attempt_detected.yml

@@ -1,6 +1,6 @@
 title: Bitbucket User Permissions Export Attempt
 id: 87cc6698-3e07-4ba2-9b43-a85a73e151e2
-status: experimental
+status: test
 description: Detects user permission data export attempt.
 references:
     - https://confluence.atlassian.com/bitbucketserver/audit-log-events-776640423.html

rules/cloud/github/github_push_protection_bypass_detected.yml

@@ -1,6 +1,6 @@
 title: Github Push Protection Bypass Detected
 id: 02cf536a-cf21-4876-8842-4159c8aee3cc
-status: experimental
+status: test
 description: Detects when a user bypasses the push protection on a secret detected by secret scanning.
 references:
     - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations

rules/cloud/github/github_push_protection_disabled.yml

@@ -1,6 +1,6 @@
 title: Github Push Protection Disabled
 id: ccd55945-badd-4bae-936b-823a735d37dd
-status: experimental
+status: test
 description: Detects if the push protection feature is disabled for an organization, enterprise, repositories or custom pattern rules.
 references:
     - https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations

rules/windows/builtin/system/microsoft_windows_certification_authority/win_system_adcs_enrollment_request_denied.yml

@@ -1,6 +1,6 @@
 title: Active Directory Certificate Services Denied Certificate Enrollment Request
 id: 994bfd6d-0a2e-481e-a861-934069fcf5f5
-status: experimental
+status: test
 description: |
     Detects denied requests by Active Directory Certificate Services.
     Example of these requests denial include issues with permissions on the certificate template or invalid signatures.

rules/windows/builtin/system/microsoft_windows_kerberos_key_distribution_center/win_system_kdcsvc_tgs_no_suitable_encryption_key_found.yml

@@ -1,6 +1,6 @@
 title: No Suitable Encryption Key Found For Generating Kerberos Ticket
 id: b1e0b3f5-b62e-41be-886a-daffde446ad4
-status: experimental
+status: test
 description: |
     Detects errors when a target server doesn't have suitable keys for generating kerberos tickets.
     This issue can occur for example when a service uses a user account or a computer account that is configured for only DES encryption on a computer that is running Windows 7 which has DES encryption for Kerberos authentication disabled.

rules/windows/dns_query/dns_query_win_onelaunch_update_service.yml

@@ -1,6 +1,6 @@
 title: DNS Query Request To OneLaunch Update Service
 id: df68f791-ad95-447f-a271-640a0dab9cf8
-status: experimental
+status: test
 description: |
     Detects DNS query requests to "update.onelaunch.com". This domain is associated with the OneLaunch adware application.
     When the OneLaunch application is installed it will attempt to get updates from this domain.

rules/windows/image_load/image_load_susp_unsigned_dll.yml

@@ -1,6 +1,6 @@
 title: Unsigned DLL Loaded by Windows Utility
 id: b5de0c9a-6f19-43e0-af4e-55ad01f550af
-status: experimental
+status: test
 description: |
     Detects windows utilities loading an unsigned or untrusted DLL.
     Adversaries often abuse those programs to proxy execution of malicious code.

rules/windows/powershell/powershell_module/posh_pm_hktl_evil_winrm_execution.yml

@@ -1,6 +1,6 @@
 title: HackTool - Evil-WinRm Execution - PowerShell Module
 id: 9fe55ea2-4cd6-4491-8a54-dd6871651b51
-status: experimental
+status: test
 description: |
     Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.
 references:

rules/windows/process_access/proc_access_win_lsass_memdump.yml

@@ -1,6 +1,6 @@
 title: Potential Credential Dumping Activity Via LSASS
 id: 5ef9853e-4d0e-4a70-846f-a9ca37d876da
-status: experimental
+status: test
 description: |
     Detects process access requests to the LSASS process with specific call trace calls and access masks.
     This behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.

rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml

@@ -3,7 +3,7 @@ id: ea0cdc3e-2239-4f26-a947-4e8f8224e464
 related:
     - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
       type: derived
-status: experimental
+status: test
 description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the extensions of the file is suspicious
 references:
     - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior

rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml

@@ -3,7 +3,7 @@ id: 82a6714f-4899-4f16-9c1e-9a333544d4c3
 related:
     - id: e62a9f0c-ca1e-46b2-85d5-a6da77f86d1a
       type: derived
-status: experimental
+status: test
 description: Detects the execution of certutil with the "encode" flag to encode a file to base64 where the files are located in potentially suspicious locations
 references:
     - https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior

rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml

@@ -1,6 +1,6 @@
 title: Console CodePage Lookup Via CHCP
 id: 7090adee-82e2-4269-bd59-80691e7c6338
-status: experimental
+status: test
 description: Detects use of chcp to look up the system locale value as part of host discovery
 references:
     - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/

rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml

@@ -1,6 +1,6 @@
 title: Potentially Suspicious Ping/Copy Command Combination
 id: ded2b07a-d12f-4284-9b76-653e37b6c8b0
-status: experimental
+status: test
 description: |
     Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware.
 references:

rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml

@@ -9,7 +9,7 @@ related:
       type: similar
     - id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 # Diskshadow Script Mode Execution
       type: similar
-status: experimental
+status: test
 description: |
     Detects execution of "Diskshadow.exe" in script mode to execute an script with a potentially uncommon extension.
     Initial baselining of the allowed extension list is required.

rules/windows/process_creation/proc_creation_win_findstr_download.yml

@@ -3,7 +3,7 @@ id: 587254ee-a24b-4335-b3cd-065c0f1f4baa
 related:
     - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
       type: obsolete
-status: experimental
+status: test
 description: |
     Detects execution of "findstr" with specific flags and a remote share path. This specific set of CLI flags would allow "findstr" to download the content of the file located on the remote share as described in the LOLBAS entry.
 references:

rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml

@@ -3,7 +3,7 @@ id: 04936b66-3915-43ad-a8e5-809eadfd1141
 related:
     - id: bf6c39fc-e203-45b9-9538-05397c1b4f3f
       type: obsolete
-status: experimental
+status: test
 description: |
     Detects execution of findstr with the "s" and "i" flags for a "subfolder" and "insensitive" search respectively. Attackers sometimes leverage this built-in utility to search the system for interesting files or filter through results of commands.
 references:

rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml

@@ -1,6 +1,6 @@
 title: Rebuild Performance Counter Values Via Lodctr.EXE
 id: cc9d3712-6310-4320-b2df-7cb408274d53
-status: experimental
+status: test
 description: Detects the execution of "lodctr.exe" to rebuild the performance counter registry values. This can be abused by attackers by providing a malicious config file to overwrite performance counter configuration to confuse and evade monitoring and security solutions.
 references:
     - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr

rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
       type: obsolete
-status: experimental
+status: test
 description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file which might contain a malicious action.
 references:
     - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16

rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml

@@ -3,7 +3,7 @@ id: 5e3cc4d8-3e68-43db-8656-eaaeefdec9cc
 related:
     - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
       type: derived
-status: experimental
+status: test
 description: Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
 references:
     - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/

rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_revoked_cert.yml

@@ -1,6 +1,6 @@
 title: Remote Access Tool - AnyDesk Execution With Known Revoked Signing Certificate
 id: 41f407b5-3096-44ea-a74f-96d04fbc41be
-status: experimental
+status: test
 description: |
     Detects the execution of an AnyDesk binary with a version prior to 8.0.8.
     Prior to version 8.0.8, the Anydesk application used a signing certificate that got compromised by threat actors.

rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution.yml

@@ -1,6 +1,6 @@
 title: Remote Access Tool - ScreenConnect Remote Command Execution
 id: b1f73849-6329-4069-bc8f-78a604bb8b23
-status: experimental
+status: test
 description: Detects the execution of a system command via the ScreenConnect RMM service.
 references:
     - https://github.com/SigmaHQ/sigma/pull/4467

rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml

@@ -1,6 +1,6 @@
 title: Remote Access Tool - ScreenConnect Server Web Shell Execution
 id: b19146a3-25d4-41b4-928b-1e2a92641b1b
-status: experimental
+status: test
 description: Detects potential web shell execution from the ScreenConnect server process.
 references:
     - https://blackpointcyber.com/resources/blog/breaking-through-the-screen/