Merge PR SigmaHQ#5027 from @nasbench - Promote older rules status fro…

…m `experimental` to `test` chore: promote older rules status from experimental to test Co-authored-by: nasbench <[email protected]>
SavinSpring · Oct 1, 2024 · 08c52c3 · 08c52c3
1 parent 8ebc58c
commit 08c52c3
Show file tree

Hide file tree

Showing 73 changed files with 73 additions and 73 deletions.
diff --git a/...ts/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml b/...ts/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml
@@ -3,7 +3,7 @@ id: f8987c03-4290-4c96-870f-55e75ee377f4
 related:
     - id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
 references:

diff --git a/.../CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml b/.../CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml
@@ -3,7 +3,7 @@ id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
 related:
     - id: f8987c03-4290-4c96-870f-55e75ee377f4
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
 references:

diff --git a/...eats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml b/...eats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml
@@ -3,7 +3,7 @@ id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6
 related:
     - id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
 references:

diff --git a/...hreats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml b/...hreats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml
@@ -3,7 +3,7 @@ id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c
 related:
     - id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
 references:

diff --git a/...merging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml b/...merging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml
@@ -3,7 +3,7 @@ id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5
 related:
     - id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8
       type: derived
-status: experimental
+status: test
 description: |
     Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
 references:

diff --git a/...ing-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml b/...ing-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml
@@ -3,7 +3,7 @@ id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8
 related:
     - id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5
       type: derived
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
 references:

diff --git a/...ng-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml b/...ng-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml
@@ -3,7 +3,7 @@ id: f195b2ff-e542-41bf-8d91-864fb81e5c20
 related:
     - id: e9928831-ba14-42ea-a4bc-33d352b9929a
       type: similar
-status: experimental
+status: test
 description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
 references:
     - https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main

diff --git a/...ging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml b/...ging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml
@@ -3,7 +3,7 @@ id: e9928831-ba14-42ea-a4bc-33d352b9929a
 related:
     - id: f195b2ff-e542-41bf-8d91-864fb81e5c20
       type: similar
-status: experimental
+status: test
 description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
 references:
     - https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main

diff --git a/...2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml b/...2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml
@@ -7,7 +7,7 @@ related:
       type: similar
     - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit
       type: similar
-status: experimental
+status: test
 description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
 references:
     - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

diff --git a/...6/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml b/...6/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml
@@ -7,7 +7,7 @@ related:
       type: similar
     - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit
       type: similar
-status: experimental
+status: test
 description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
 references:
     - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

diff --git a/...E-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml b/...E-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml
@@ -7,7 +7,7 @@ related:
       type: similar
     - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit
       type: similar
-status: experimental
+status: test
 description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.
 references:
     - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

diff --git a/...966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml b/...966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml
@@ -7,7 +7,7 @@ related:
       type: similar
     - id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit
       type: similar
-status: experimental
+status: test
 description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
 references:
     - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml
@@ -1,6 +1,6 @@
 title: Lace Tempest File Indicators
 id: e94486ea-2650-4548-bf25-88cbd0bb32d7
-status: experimental
+status: test
 description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
 references:
     - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification

diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml
@@ -1,6 +1,6 @@
 title: Lace Tempest PowerShell Evidence Eraser
 id: b377ddab-502d-4519-9e8c-5590033d2d70
-status: experimental
+status: test
 description: |
     Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
 references:

diff --git a/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml b/rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml
@@ -1,6 +1,6 @@
 title: Lace Tempest PowerShell Launcher
 id: 37dc5463-f7e3-4f61-ad76-ba59cd02a651
-status: experimental
+status: test
 description: |
     Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
 references:

diff --git a/...hreats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml b/...hreats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml
@@ -1,6 +1,6 @@
 title: Lace Tempest Cobalt Strike Download
 id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d
-status: experimental
+status: test
 description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
 references:
     - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification

diff --git a/...ging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml b/...ging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml
@@ -1,6 +1,6 @@
 title: Lace Tempest Malware Loader Execution
 id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d
-status: experimental
+status: test
 description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
 references:
     - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification

diff --git a/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml b/rules-threat-hunting/windows/file/file_rename/file_rename_win_non_dll_to_dll_ext.yml
@@ -1,6 +1,6 @@
 title: Non-DLL Extension File Renamed With DLL Extension
 id: bbfd974c-248e-4435-8de6-1e938c79c5c1
-status: experimental
+status: test
 description: |
     Detects rename operations of files with non-DLL extensions to files with a DLL extension. This is often performed by malware in order to avoid initial detections based on extensions.
 references:

diff --git a/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml b/rules-threat-hunting/windows/process_access/proc_access_win_lsass_susp_source_process.yml
@@ -1,6 +1,6 @@
 title: LSASS Access From Program In Potentially Suspicious Folder
 id: fa34b441-961a-42fa-a100-ecc28c886725
-status: experimental
+status: test
 description: Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder
 references:
     - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights

diff --git a/...threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml b/...threat-hunting/windows/process_creation/proc_creation_win_powershell_crypto_namespace.yml
@@ -1,6 +1,6 @@
 title: Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
 id: ad856965-f44d-42a8-945e-bbf7bd03d05a
-status: experimental
+status: test
 description: |
     Detects the invocation of PowerShell commands with references to classes from the "System.Security.Cryptography" namespace.
     The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.

diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_import_module.yml
@@ -1,6 +1,6 @@
 title: Import New Module Via PowerShell CommandLine
 id: 4ad74d01-f48c-42d0-b88c-b31efa4d2262
-status: experimental
+status: test
 description: Detects usage of the "Import-Module" cmdlet in order to add new Cmdlets to the current PowerShell session
 references:
     - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/import-module?view=powershell-7.3

diff --git a/...-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml b/...-threat-hunting/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml
@@ -3,7 +3,7 @@ id: 61065c72-5d7d-44ef-bf41-6a36684b545f
 related:
     - id: 178e615d-e666-498b-9630-9ed363038101
       type: similar
-status: experimental
+status: test
 description: |
     Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. Use this rule to hunt for potential suspicious processes.
 references:

diff --git a/...threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml b/...threat-hunting/windows/registry/registry_set/registry_set_powershell_crypto_namespace.yml
@@ -1,6 +1,6 @@
 title: Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
 id: 1c2a3268-3881-414a-80af-a5b313b14c0e
-status: experimental
+status: test
 description: |
     Detects the setting of a registry inside the "\Shell\Open\Command" value with PowerShell classes from the "System.Security.Cryptography" namespace.
     The PowerShell namespace "System.Security.Cryptography" provides classes for on-the-fly encryption and decryption.

diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml b/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml
@@ -1,6 +1,6 @@
 title: Potential Linux Process Code Injection Via DD Utility
 id: 4cad6c64-d6df-42d6-8dae-eb78defdc415
-status: experimental
+status: test
 description: Detects the injection of code by overwriting the memory map of a Linux process using the "dd" Linux command.
 references:
     - https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/

diff --git a/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml b/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml
@@ -3,7 +3,7 @@ id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
 related:
     - id: 85254a62-22be-4239-b79c-2ec17e566c37
       type: similar
-status: experimental
+status: test
 description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
 references:
     - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash

diff --git a/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml b/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml
@@ -3,7 +3,7 @@ id: 85254a62-22be-4239-b79c-2ec17e566c37
 related:
     - id: b59c98c6-95e8-4d65-93ee-f594dfb96b17
       type: similar
-status: experimental
+status: test
 description: Detects POST requests to the F5 BIG-IP iControl Rest API "bash" endpoint, which allows the execution of commands on the BIG-IP
 references:
     - https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash

diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml
@@ -3,7 +3,7 @@ id: c8b00925-926c-47e3-beea-298fd563728e
 related:
     - id: 1a31b18a-f00c-4061-9900-f735b96c99fc
       type: similar
-status: experimental
+status: test
 description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
 references:
     - https://redcanary.com/blog/misbehaving-rats/

diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml
@@ -7,7 +7,7 @@ related:
       type: derived
     - id: 100ef69e-3327-481c-8e5c-6d80d9507556
       type: derived
-status: experimental
+status: test
 description: One of the Windows Eventlogs has been cleared. e.g. caused by "wevtutil cl" command execution
 references:
     - https://twitter.com/deviouspolack/status/832535435960209408

diff --git a/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml b/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml
@@ -3,7 +3,7 @@ id: 100ef69e-3327-481c-8e5c-6d80d9507556
 related:
     - id: a62b37e0-45d3-48d9-a517-90c1a1b0186b
       type: derived
-status: experimental
+status: test
 description: Detects the clearing of one of the Windows Core Eventlogs. e.g. caused by "wevtutil cl" command execution
 references:
     - https://twitter.com/deviouspolack/status/832535435960209408

diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_powershell_susp_targets.yml
@@ -3,7 +3,7 @@ id: 99b97608-3e21-4bfe-8217-2a127c396a0e
 related:
     - id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
       type: similar
-status: experimental
+status: test
 description: Detects the creation of a remote thread from a Powershell process in an uncommon target process
 references:
     - https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html

diff --git a/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml b/rules/windows/dns_query/dns_query_win_devtunnels_communication.yml
@@ -7,7 +7,7 @@ related:
       type: similar
     - id: b3e6418f-7c7a-4fad-993a-93b65027a9f1 # DNS VsCode
       type: similar
-status: experimental
+status: test
 description: |
     Detects DNS query requests to Devtunnels domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
 references:

diff --git a/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml b/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml
@@ -7,7 +7,7 @@ related:
       type: similar
     - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
       type: similar
-status: experimental
+status: test
 description: |
     Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
 references:

diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers.yml b/rules/windows/driver_load/driver_load_win_mal_drivers.yml
@@ -1,6 +1,6 @@
 title: Malicious Driver Load
 id: 05296024-fe8a-4baf-8f3d-9a5f5624ceb2
-status: experimental
+status: test
 description: Detects loading of known malicious drivers via their hash.
 references:
     - https://loldrivers.io/

diff --git a/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml b/rules/windows/driver_load/driver_load_win_mal_drivers_names.yml
@@ -1,6 +1,6 @@
 title: Malicious Driver Load By Name
 id: 39b64854-5497-4b57-a448-40977b8c9679
-status: experimental
+status: test
 description: Detects loading of known malicious drivers via the file name of the drivers.
 references:
     - https://loldrivers.io/

diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml
@@ -1,6 +1,6 @@
 title: Vulnerable Driver Load
 id: 7aaaf4b8-e47c-4295-92ee-6ed40a6f60c8
-status: experimental
+status: test
 description: Detects loading of known vulnerable drivers via their hash.
 references:
     - https://loldrivers.io/

diff --git a/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml
@@ -1,6 +1,6 @@
 title: Vulnerable Driver Load By Name
 id: 72cd00d6-490c-4650-86ff-1d11f491daa1
-status: experimental
+status: test
 description: Detects the load of known vulnerable drivers via the file name of the drivers.
 references:
     - https://loldrivers.io/

diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml
@@ -3,7 +3,7 @@ id: b48492dc-c5ef-4572-8dff-32bc241c15c8
 related:
     - id: 3669afd2-9891-4534-a626-e5cf03810a61
       type: derived
-status: experimental
+status: test
 description: |
     Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.
     This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.

diff --git a/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml b/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml
@@ -3,7 +3,7 @@ id: 3669afd2-9891-4534-a626-e5cf03810a61
 related:
     - id: b48492dc-c5ef-4572-8dff-32bc241c15c8
       type: derived
-status: experimental
+status: test
 description: |
     Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.
     This library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.

diff --git a/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml b/rules/windows/network_connection/net_connection_win_domain_devtunnels.yml
@@ -7,7 +7,7 @@ related:
       type: similar
     - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
       type: similar
-status: experimental
+status: test
 description: |
     Detects network connections to Devtunnels domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
 references:

diff --git a/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml b/rules/windows/network_connection/net_connection_win_domain_vscode_tunnel_connection.yml
@@ -7,7 +7,7 @@ related:
       type: similar
     - id: 1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b # DNS DevTunnels
       type: similar
-status: experimental
+status: test
 description: |
     Detects network connections to Visual Studio Code tunnel domains initiated by a process on a system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
 references:

diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml
@@ -3,7 +3,7 @@ id: 851fd622-b675-4d26-b803-14bc7baa517a
 related:
     - id: d557dc06-62e8-4468-a8e8-7984124908ce
       type: similar
-status: experimental
+status: test
 description: |
     Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
 author: Swachchhanda Shrawan Poudel

diff --git a/rules/windows/process_access/proc_access_win_hktl_generic_access.yml b/rules/windows/process_access/proc_access_win_hktl_generic_access.yml
@@ -1,6 +1,6 @@
 title: HackTool - Generic Process Access
 id: d0d2f720-d14f-448d-8242-51ff396a334e
-status: experimental
+status: test
 description: Detects process access requests from hacktool processes based on their default image name
 references:
     - https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158

diff --git a/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml b/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml
@@ -3,7 +3,7 @@ id: a18dd26b-6450-46de-8c91-9659150cf088
 related:
     - id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d
       type: similar
-status: experimental
+status: test
 description: Detects process access requests to LSASS process with potentially suspicious access flags
 references:
     - https://learn.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights

diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml
@@ -3,7 +3,7 @@ id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
 related:
     - id: 27ba3207-dd30-4812-abbf-5d20c57d474e
       type: similar
-status: experimental
+status: test
 description: Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension
 references:
     - https://redcanary.com/blog/chromeloader/

diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml
@@ -3,7 +3,7 @@ id: 27ba3207-dd30-4812-abbf-5d20c57d474e
 related:
     - id: 88d6e60c-759d-4ac1-a447-c0f1466c2d21
       type: similar
-status: experimental
+status: test
 description: Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension
 references:
     - https://redcanary.com/blog/chromeloader/

diff --git a/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml b/rules/windows/process_creation/proc_creation_win_cmd_unusual_parent.yml
@@ -1,6 +1,6 @@
 title: Unusual Parent Process For Cmd.EXE
 id: 4b991083-3d0e-44ce-8fc4-b254025d8d4b
-status: experimental
+status: test
 description: Detects suspicious parent process for cmd.exe
 references:
     - https://www.elastic.co/guide/en/security/current/unusual-parent-process-for-cmd.exe.html