chore: promote older rules status from experimental to test (#4651)

Co-authored-by: nasbench <[email protected]>

rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 # Process Creation
       type: similar
-status: experimental
+status: test
 description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
 references:
     - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel

rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2022-21587 Exploitation Attempt
 id: d033cb8a-8669-4a8e-a974-48d4185a8503
-status: experimental
+status: test
 description: Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
 references:
     - https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/

rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2022-29072 Exploitation Attempt
 id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3
-status: experimental
+status: test
 description: |
     Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.
     7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.

rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml

@@ -1,6 +1,6 @@
 title: Potential Raspberry Robin Dot Ending File
 id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a
-status: experimental
+status: test
 description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
 author: Nasreddine Bencherchali (Nextron Systems)
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-23752 Exploitation Attempt
 id: 0e1ebc5a-15d0-4bf6-8199-b2535397433a
-status: experimental
+status: test
 description: Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla
 references:
     - https://xz.aliyun.com/t/12175

rules-emerging-threats/2023/Malware/Rhadamanthys/proc_creation_win_malware_rhadamanthys_stealer_dll_launch.yml

@@ -1,6 +1,6 @@
 title: Rhadamanthys Stealer Module Launch Via Rundll32.EXE
 id: 5cdbc2e8-86dd-43df-9a1a-200d4745fba5
-status: experimental
+status: test
 description: Detects the use of Rundll32 to launch an NSIS module that serves as the main stealer capability of Rhadamanthys infostealer, as observed in reports and samples in early 2023
 references:
     - https://elis531989.medium.com/dancing-with-shellcodes-analyzing-rhadamanthys-stealer-3c4986966a88

rules-emerging-threats/2023/Malware/dns_query_win_malware_socgholish_second_stage_c2.yml

@@ -1,6 +1,6 @@
 title: Potential SocGholish Second Stage C2 DNS Query
 id: 70761fe8-6aa2-4f80-98c1-a57049c08e66
-status: experimental
+status: test
 description: Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic
 references:
     - https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations

rules-placeholder/windows/process_creation/proc_creation_win_userdomain_variable_enumeration.yml

@@ -1,6 +1,6 @@
 title: Userdomain Variable Enumeration
 id: 43311e65-84d8-42a5-b3d4-c94d9b67038f
-status: experimental
+status: test
 description: Detects suspicious enumeration of the domain the user is associated with.
 references:
     - https://www.arxiv-vanity.com/papers/2008.04676/

rules-threat-hunting/windows/image_load/image_load_dll_system_drawing_load.yml

@@ -1,6 +1,6 @@
 title: System Drawing DLL Load
 id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c
-status: experimental
+status: test
 description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture.
 references:
     - https://github.com/OTRF/detection-hackathon-apt29/issues/16

rules-threat-hunting/windows/process_creation/proc_creation_win_curl_download.yml

@@ -5,7 +5,7 @@ related:
       type: derived
     - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution
       type: derived
-status: experimental
+status: test
 description: Detects file download using curl.exe
 references:
     - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464

rules/application/jvm/java_jndi_injection_exploitation_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential JNDI Injection Exploitation In JVM Based Application
 id: bb0e9cec-d4da-46f5-997f-22efc59f3dca
-status: experimental
+status: test
 description: Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
 references:
     - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs

rules/application/jvm/java_local_file_read.yml

@@ -1,6 +1,6 @@
 title: Potential Local File Read Vulnerability In JVM Based Application
 id: e032f5bc-4563-4096-ae3b-064bab588685
-status: experimental
+status: test
 description: |
     Detects potential local file read vulnerability in JVM based apps.
     If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.

rules/application/jvm/java_ognl_injection_exploitation_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential OGNL Injection Exploitation In JVM Based Application
 id: 4d0af518-828e-4a04-a751-a7d03f3046ad
-status: experimental
+status: test
 description: |
     Detects potential OGNL Injection exploitation, which may lead to RCE.
     OGNL is an expression language that is supported in many JVM based systems.

rules/application/jvm/java_rce_exploitation_attempt.yml

@@ -1,6 +1,6 @@
 title: Process Execution Error In JVM Based Application
 id: d65f37da-a26a-48f8-8159-3dde96680ad2
-status: experimental
+status: test
 description: Detects process execution related exceptions in JVM based apps, often relates to RCE
 references:
     - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs

rules/application/jvm/java_xxe_exploitation_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential XXE Exploitation Attempt In JVM Based Application
 id: c4e06896-e27c-4583-95ac-91ce2279345d
-status: experimental
+status: test
 description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
 references:
     - https://rules.sonarsource.com/java/RSPEC-2755

rules/application/nodejs/nodejs_rce_exploitation_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential RCE Exploitation Attempt In NodeJS
 id: 97661d9d-2beb-4630-b423-68985291a8af
-status: experimental
+status: test
 description: Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
 references:
     - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs

rules/application/spring/spring_spel_injection.yml

@@ -1,6 +1,6 @@
 title: Potential SpEL Injection In Spring Framework
 id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8
-status: experimental
+status: test
 description: Detects potential SpEL Injection exploitation, which may lead to RCE.
 references:
     - https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection

rules/application/velocity/velocity_ssti_injection.yml

@@ -1,6 +1,6 @@
 title: Potential Server Side Template Injection In Velocity
 id: 16c86189-b556-4ee8-b4c7-7e350a195a4f
-status: experimental
+status: test
 description: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
 references:
     - https://antgarsil.github.io/posts/velocity/

rules/linux/auditd/lnx_auditd_modify_system_firewall.yml

@@ -3,7 +3,7 @@ id: 323ff3f5-0013-4847-bbd4-250b5edb62cc
 related:
     - id: 53059bc0-1472-438b-956a-7508a94a91f0
       type: similar
-status: experimental
+status: test
 description: |
     Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access.
     Detection rules that match only on the disabling of firewalls will miss this.

rules/macos/process_creation/proc_creation_macos_installer_susp_child_process.yml

@@ -1,6 +1,6 @@
 title: Suspicious Installer Package Child Process
 id: e0cfaecd-602d-41af-988d-f6ccebb2af26
-status: experimental
+status: test
 description: Detects the execution of suspicious child processes from macOS installer package parent process. This includes osascript, JXA, curl and wget amongst other interpreters
 references:
     - https://redcanary.com/blog/clipping-silver-sparrows-wings/

rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml

@@ -1,6 +1,6 @@
 title: Potential Persistence Via PlistBuddy
 id: 65d506d3-fcfe-4071-b4b2-bcefe721bbbb
-status: experimental
+status: test
 description: Detects potential persistence activity using LaunchAgents or LaunchDaemons via the PlistBuddy utility
 references:
     - https://redcanary.com/blog/clipping-silver-sparrows-wings/

rules/macos/process_creation/proc_creation_macos_sysadminctl_enable_guest_account.yml

@@ -1,6 +1,6 @@
 title: Guest Account Enabled Via Sysadminctl
 id: d7329412-13bd-44ba-a072-3387f804a106
-status: experimental
+status: test
 description: Detects attempts to enable the guest account using the sysadminctl utility
 references:
     - https://ss64.com/osx/sysadminctl.html

rules/windows/builtin/system/service_control_manager/win_system_invoke_obfuscation_clip_services.yml

@@ -1,6 +1,6 @@
 title: Invoke-Obfuscation CLIP+ Launcher - System
 id: f7385ee2-0e0c-11eb-adc1-0242ac120002
-status: experimental
+status: test
 description: Detects Obfuscated use of Clip.exe to execute PowerShell
 references:
     - https://github.com/SigmaHQ/sigma/issues/1009  # (Task 26)

rules/windows/builtin/taskscheduler/win_taskscheduler_execution_from_susp_locations.yml

@@ -1,6 +1,6 @@
 title: Scheduled Task Executed From A Suspicious Location
 id: 424273ea-7cf8-43a6-b712-375f925e481f
-status: experimental
+status: test
 description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task
 references:
     - Internal Research

rules/windows/builtin/taskscheduler/win_taskscheduler_lolbin_execution_via_task_scheduler.yml

@@ -1,6 +1,6 @@
 title: Scheduled Task Executed Uncommon LOLBIN
 id: f0767f15-0fb3-44b9-851e-e8d9a6d0005d
-status: experimental
+status: test
 description: Detects the execution of Scheduled Tasks where the program being run is located in a suspicious location or where it is an unusual program to be run from a Scheduled Task
 references:
     - Internal Research

rules/windows/builtin/taskscheduler/win_taskscheduler_susp_schtasks_delete.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad # Security-Audting Eventlog
       type: similar
-status: experimental
+status: test
 description: Detects when adversaries try to stop system services or processes by deleting their respective scheduled tasks in order to conduct data destructive activities
 author: frack113
 date: 2023/01/13

rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml

@@ -1,6 +1,6 @@
 title: Unusual File Download from Direct IP Address
 id: 025bd229-fd1f-4fdb-97ab-20006e1a5368
-status: experimental
+status: test
 description: Detects the download of suspicious file type from URLs with IP
 references:
     - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md

rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml

@@ -1,6 +1,6 @@
 title: Potential PrintNightmare Exploitation Attempt
 id: 5b2bbc47-dead-4ef7-8908-0cf73fcbecbf
-status: experimental
+status: test
 description: Detect DLL deletions from Spooler Service driver folder. This might be a potential exploitation attempt of CVE-2021-1675
 references:
     - https://github.com/hhlxf/PrintNightmare

rules/windows/file/file_delete/file_delete_win_delete_backup_file.yml

@@ -1,6 +1,6 @@
 title: Backup Files Deleted
 id: 06125661-3814-4e03-bfa2-1e4411c60ac3
-status: experimental
+status: test
 description: Detects deletion of files with extensions often used for backup files. Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files

rules/windows/file/file_delete/file_delete_win_delete_event_log_files.yml

@@ -1,6 +1,6 @@
 title: EventLog EVTX File Deleted
 id: 63c779ba-f638-40a0-a593-ddd45e8b1ddc
-status: experimental
+status: test
 description: Detects the deletion of the event log files which may indicate an attempt to destroy forensic evidence
 references:
     - Internal Research

rules/windows/file/file_delete/file_delete_win_delete_iis_access_logs.yml

@@ -1,6 +1,6 @@
 title: IIS WebServer Access Logs Deleted
 id: 3eb8c339-a765-48cc-a150-4364c04652bf
-status: experimental
+status: test
 description: Detects the deletion of IIS WebServer access logs which may indicate an attempt to destroy forensic evidence
 references:
     - https://www.elastic.co/guide/en/security/current/webserver-access-logs-deleted.html

rules/windows/file/file_delete/file_delete_win_delete_powershell_command_history.yml

@@ -1,6 +1,6 @@
 title: PowerShell Console History Logs Deleted
 id: ff301988-c231-4bd0-834c-ac9d73b86586
-status: experimental
+status: test
 description: Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
 references:
     - Internal Research

rules/windows/file/file_delete/file_delete_win_delete_prefetch.yml

@@ -1,6 +1,6 @@
 title: Prefetch File Deleted
 id: 0a1f9d29-6465-4776-b091-7f43b26e4c89
-status: experimental
+status: test
 description: Detects the deletion of a prefetch file which may indicate an attempt to destroy forensic evidence
 author: Cedric MAURUGEON
 date: 2021/09/29

rules/windows/file/file_delete/file_delete_win_delete_tomcat_logs.yml

@@ -1,6 +1,6 @@
 title: Tomcat WebServer Logs Deleted
 id: 270185ff-5f50-4d6d-a27f-24c3b8c9fef8
-status: experimental
+status: test
 description: Detects the deletion of tomcat WebServer logs which may indicate an attempt to destroy forensic evidence
 references:
     - Internal Research

rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml

@@ -3,7 +3,7 @@ id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
 related:
     - id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version
       type: similar
-status: experimental
+status: test
 description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
 references:
     - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html

rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml

@@ -3,7 +3,7 @@ id: df6ecb8b-7822-4f4b-b412-08f524b4576c
 related:
     - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
       type: similar
-status: experimental
+status: test
 description: Detects the creation of system dlls that are not present on the system. Usually to achieve dll hijacking
 references:
     - https://decoded.avast.io/martinchlumecky/png-steganography/

rules/windows/file/file_event/file_event_win_lolbin_gather_network_info_script_output.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 07aa184a-870d-413d-893a-157f317f6f58 # ProcCreation Susp
       type: similar
-status: experimental
+status: test
 description: Detects creation of files which are the results of executing the built-in reconnaissance script "C:\Windows\System32\gatherNetworkInfo.vbs".
 references:
     - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs

rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml

@@ -1,6 +1,6 @@
 title: File Creation In Suspicious Directory By Msdt.EXE
 id: 318557a5-150c-4c8d-b70e-a9910e199857
-status: experimental
+status: test
 description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities
 references:
     - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd

rules/windows/file/file_event/file_event_win_net_cli_artefact.yml

@@ -5,7 +5,7 @@ related:
       type: derived
     - id: e4b63079-6198-405c-abd7-3fe8b0ce3263
       type: obsoletes
-status: experimental
+status: test
 description: Detects the creation of Usage Log files by the CLR (clr.dll). These files are named after the executing process once the assembly is finished executing for the first time in the (user) session context.
 references:
     - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/

rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml

@@ -1,6 +1,6 @@
 title: Suspicious File Creation In Uncommon AppData Folder
 id: d7b50671-d1ad-4871-aa60-5aa5b331fe04
-status: experimental
+status: test
 description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs
 references:
     - Internal Research

rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml

@@ -1,6 +1,6 @@
 title: Office Macro File Creation From Suspicious Process
 id: b1c50487-1967-4315-a026-6491686d860e
-status: experimental
+status: test
 description: Detects the creation of a office macro file from a a suspicious process
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md

rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml

@@ -1,6 +1,6 @@
 title: Suspicious File Created Via OneNote Application
 id: fcc6d700-68d9-4241-9a1a-06874d621b06
-status: experimental
+status: test
 description: Detects suspicious files created via the OneNote application. This could indicate a potential malicious ".one"/".onepkg" file was executed as seen being used in malware activity in the wild
 references:
     - https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/

rules/windows/file/file_event/file_event_win_office_outlook_newform.yml

@@ -1,6 +1,6 @@
 title: Potential Persistence Via Outlook Form
 id: c3edc6a5-d9d4-48d8-930e-aab518390917
-status: experimental
+status: test
 description: Detects the creation of a new Outlook form which can contain malicious code
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76

rules/windows/file/file_event/file_event_win_office_publisher_files_in_susp_locations.yml

@@ -1,6 +1,6 @@
 title: Publisher Attachment File Dropped In Suspicious Location
 id: 3d2a2d59-929c-4b78-8c1a-145dfe9e07b1
-status: experimental
+status: test
 description: Detects creation of files with the ".pub" extension in suspicious or uncommon locations. This could be a sign of attackers abusing Publisher documents
 references:
     - https://twitter.com/EmericNasi/status/1623224526220804098

rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml

@@ -1,6 +1,6 @@
 title: Potential Startup Shortcut Persistence Via PowerShell.EXE
 id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d
-status: experimental
+status: test
 description: |
     Detects PowerShell writing startup shortcuts.
     This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence.

rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml

@@ -1,6 +1,6 @@
 title: PSEXEC Remote Execution File Artefact
 id: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4
-status: experimental
+status: test
 description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system
 references:
     - https://aboutdfir.com/the-key-to-identify-psexec/

rules/windows/image_load/image_load_cmstp_load_dll_from_susp_location.yml

@@ -1,6 +1,6 @@
 title: DLL Loaded From Suspicious Location Via Cmspt.EXE
 id: 75e508f7-932d-4ebc-af77-269237a84ce1
-status: experimental
+status: test
 description: Detects cmstp loading "dll" or "ocx" files from suspicious locations
 references:
     - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml

rules/windows/image_load/image_load_dll_comsvcs_load_renamed_version_by_rundll32.yml

@@ -1,6 +1,6 @@
 title: Suspicious Renamed Comsvcs DLL Loaded By Rundll32
 id: 8cde342c-ba48-4b74-b615-172c330f2e93
-status: experimental
+status: test
 description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory
 references:
     - https://twitter.com/sbousseaden/status/1555200155351228419

rules/windows/image_load/image_load_dll_sdiageng_load_by_msdt.yml

@@ -1,6 +1,6 @@
 title: Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
 id: ec8c4047-fad9-416a-8c81-0f479353d7f6
-status: experimental
+status: test
 description: Detects both of CVE-2022-30190 (Follina) and DogWalk vulnerabilities exploiting msdt.exe binary to load the "sdiageng.dll" library
 references:
     - https://www.securonix.com/blog/detecting-microsoft-msdt-dogwalk/