Merge PR SigmaHQ#4533 from @nasbench - Promote experimental rules

chore: promote older rules status from `experimental` to `test`

---------

Co-authored-by: nasbench <[email protected]>

rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml

@@ -1,6 +1,6 @@
 title: Rejetto HTTP File Server RCE
 id: a133193c-2daa-4a29-8022-018695fcf0ae
-status: experimental
+status: test
 description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
 references:
     - https://vk9-sec.com/hfs-code-execution-cve-2014-6287/

rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml

@@ -1,6 +1,6 @@
 title: CVE-2021-41773 Exploitation Attempt
 id: 3007fec6-e761-4319-91af-e32e20ac43f5
-status: experimental
+status: test
 description: |
   Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.
   An attacker could use a path traversal attack to map URLs to files outside the expected document root.

rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml

@@ -1,6 +1,6 @@
 title: Log4j RCE CVE-2021-44228 in Fields
 id: 9be472ed-893c-4ec0-94da-312d2765f654
-status: experimental
+status: test
 description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
 references:
     - https://www.lunasec.io/docs/blog/log4j-zero-day/

rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml

@@ -1,6 +1,6 @@
 title: Exchange ProxyShell Pattern
 id: 23eee45e-933b-49f9-ae1b-df706d2d52ef
-status: experimental
+status: test
 description: Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)
 references:
     - https://youtu.be/5mqid-7zp8k?t=2231

rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml

@@ -1,6 +1,6 @@
 title: Zimbra Collaboration Suite Email Server Unauthenticated RCE
 id: dd218fb6-4d02-42dc-85f0-a0a376072efd
-status: experimental
+status: test
 description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
 references:
     - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/

rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml

@@ -1,6 +1,6 @@
 title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
 id: fcf1101d-07c9-49b2-ad81-7e421ff96d80
-status: experimental
+status: test
 description: |
     Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656
     VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.

rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml

@@ -1,6 +1,6 @@
 title: CVE-2022-31659 VMware Workspace ONE Access RCE
 id: efdb2003-a922-48aa-8f37-8b80021a9706
-status: experimental
+status: test
 description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
 references:
     - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd

rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml

@@ -1,6 +1,6 @@
 title: Apache Spark Shell Command Injection - Weblogs
 id: 1a9a04fd-02d1-465c-abad-d733fd409f9c
-status: experimental
+status: test
 description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
 references:
     - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py

rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml

@@ -1,6 +1,6 @@
 title: Atlassian Bitbucket Command Injection Via Archive API
 id: 65c0a0ab-d675-4441-bd6b-d3db226a2685
-status: experimental
+status: test
 description: Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
 references:
     - https://twitter.com/_0xf4n9x_/status/1572052954538192901

rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2022-46169 Exploitation Attempt
 id: 738cb115-881f-4df3-82cc-56ab02fc5192
-status: experimental
+status: test
 description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
 references:
     - https://github.com/0xf4n9x/CVE-2022-46169

rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml

@@ -1,6 +1,6 @@
 title: Potential OWASSRF Exploitation Attempt - Webserver
 id: 181f49fa-0b21-4665-a98c-a57025ebb8c7
-status: experimental
+status: test
 description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
 references:
     - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml

@@ -1,6 +1,6 @@
 title: OWASSRF Exploitation Attempt Using Public POC - Webserver
 id: 92d78c63-5a5c-4c40-9b60-463810ffb082
-status: experimental
+status: test
 description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
 references:
     - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

rules/category/database/db_anomalous_query.yml

@@ -1,6 +1,6 @@
 title: Suspicious SQL Query
 id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
-status: experimental
+status: test
 description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
 author: '@juju4'
 date: 2022/12/27

rules/cloud/aws/cloudtrail/aws_delete_identity.yml

@@ -1,6 +1,6 @@
 title: SES Identity Has Been Deleted
 id: 20f754db-d025-4a8f-9d74-e0037e999a9a
-status: experimental
+status: test
 description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
 references:
     - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/

rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml

@@ -3,7 +3,7 @@ id: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e
 related:
     - id: d08722cd-3d09-449a-80b4-83ea2d9d4616
       type: similar
-status: experimental
+status: test
 description: Detects calls to hidden files or files located in hidden directories in NIX systems.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md

rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml

@@ -1,6 +1,6 @@
 title: Persistence Via Sudoers Files
 id: ddb26b76-4447-4807-871f-1b035b2bfa5d
-status: experimental
+status: test
 description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
 references:
     - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh

rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml

@@ -1,6 +1,6 @@
 title: Triple Cross eBPF Rootkit Default LockFile
 id: c0239255-822c-4630-b7f1-35362bcb8f44
-status: experimental
+status: test
 description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
 references:
     - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33

rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml

@@ -1,6 +1,6 @@
 title: Triple Cross eBPF Rootkit Default Persistence
 id: 1a2ea919-d11d-4d1e-8535-06cda13be20f
-status: experimental
+status: test
 description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
 references:
     - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh

rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml

@@ -1,6 +1,6 @@
 title: Capabilities Discovery - Linux
 id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
-status: experimental
+status: test
 description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
 references:
     - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes

rules/linux/process_creation/proc_creation_lnx_groupdel.yml

@@ -1,6 +1,6 @@
 title: Group Has Been Deleted Via Groupdel
 id: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84
-status: experimental
+status: test
 description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
 references:
     - https://linuxize.com/post/how-to-delete-group-in-linux/

rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml

@@ -1,6 +1,6 @@
 title: Apt GTFOBin Abuse - Linux
 id: bb382fd5-b454-47ea-a264-1828e4c766d6
-status: experimental
+status: test
 description: Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution
 references:
     - https://gtfobins.github.io/gtfobins/apt/

rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml

@@ -1,6 +1,6 @@
 title: Vim GTFOBin Abuse - Linux
 id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea
-status: experimental
+status: test
 description: Detects usage of "vim" and it's siblings as a GTFOBin to execute and proxy command and binary execution
 references:
     - https://gtfobins.github.io/gtfobins/vim/

rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml

@@ -1,6 +1,6 @@
 title: Suspicious Package Installed - Linux
 id: 700fb7e8-2981-401c-8430-be58e189e741
-status: experimental
+status: test
 description: Detects installation of suspicious packages using system installation utilities
 references:
     - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt

rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml

@@ -3,7 +3,7 @@ id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
 related:
     - id: 85de3a19-b675-4a51-bfc6-b11a5186c971
       type: similar
-status: experimental
+status: test
 description: Detects usage of "find" binary in a suspicious manner to perform discovery
 references:
     - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes

rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml

@@ -1,6 +1,6 @@
 title: Suspicious Git Clone - Linux
 id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446
-status: experimental
+status: test
 description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
 references:
     - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt

rules/linux/process_creation/proc_creation_lnx_userdel.yml

@@ -1,6 +1,6 @@
 title: User Has Been Deleted Via Userdel
 id: 08f26069-6f80-474b-8d1f-d971c6fedea0
-status: experimental
+status: test
 description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
 references:
     - https://linuxize.com/post/how-to-delete-group-in-linux/

rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml

@@ -1,6 +1,6 @@
 title: Linux Webshell Indicators
 id: 818f7b24-0fba-4c49-a073-8b755573b9c7
-status: experimental
+status: test
 description: Detects suspicious sub processes of web server processes
 references:
     - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/

rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml

@@ -1,6 +1,6 @@
 title: Suspicious Execution via macOS Script Editor
 id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4
-status: experimental
+status: test
 description: Detects when the macOS Script Editor utility spawns an unusual child process.
 author: Tim Rauch (rule), Elastic (idea)
 references:

rules/macos/process_creation/proc_creation_macos_susp_find_execution.yml

@@ -3,7 +3,7 @@ id: 85de3a19-b675-4a51-bfc6-b11a5186c971
 related:
     - id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
       type: similar
-status: experimental
+status: test
 description: Detects usage of "find" binary in a suspicious manner to perform discovery
 references:
     - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes

rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml

@@ -1,6 +1,6 @@
 title: Potential OWASSRF Exploitation Attempt - Proxy
 id: 1ddf4596-1908-43c9-add2-1d2c2fcc4797
-status: experimental
+status: test
 description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
 references:
     - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml

@@ -1,6 +1,6 @@
 title: OWASSRF Exploitation Attempt Using Public POC - Proxy
 id: fdd7e904-7304-4616-a46a-e32f917c4be4
-status: experimental
+status: test
 description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
 references:
     - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

rules/web/webserver_generic/web_susp_useragents.yml

@@ -1,6 +1,6 @@
 title: Suspicious User-Agents Related To Recon Tools
 id: 19aa4f58-94ca-45ff-bc34-92e533c0994a
-status: experimental
+status: test
 description: Detects known suspicious (default) user-agents related to scanning/recon tools
 references:
     - https://github.com/wpscanteam/wpscan/blob/196fbab5b1ce3870a43515153d4f07878a89d410/lib/wpscan/browser.rb

rules/web/webserver_generic/web_susp_windows_path_uri.yml

@@ -1,6 +1,6 @@
 title: Suspicious Windows Strings In URI
 id: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e
-status: experimental
+status: test
 description: Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication
 references:
     - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/

rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml

@@ -3,7 +3,7 @@ id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca
 related:
     - id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5
       type: similar
-status: experimental
+status: test
 description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
 references:
     - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html

rules/windows/builtin/security/win_security_susp_computer_name.yml

@@ -1,6 +1,6 @@
 title: Win Susp Computer Name Containing Samtheadmin
 id: 39698b3f-da92-4bc6-bfb5-645a98386e45
-status: experimental
+status: test
 description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool
 references:
     - https://twitter.com/malmoeb/status/1511760068743766026

rules/windows/builtin/system/service_control_manager/win_system_system_service_installation_by_unusal_client.yml

@@ -3,7 +3,7 @@ id: 71c276aa-49cd-43d2-b920-2dcd3e6962d5
 related:
     - id: c4e92a97-a9ff-4392-9d2d-7a4c642768ca
       type: similar
-status: experimental
+status: test
 description: Detects a service installed by a client which has PID 0 or whose parent has PID 0
 references:
     - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html

rules/windows/file/file_delete/file_delete_win_delete_exchange_powershell_logs.yml

@@ -1,6 +1,6 @@
 title: Exchange PowerShell Cmdlet History Deleted
 id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe
-status: experimental
+status: test
 description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
 references:
     - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/

rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml

@@ -1,6 +1,6 @@
 title: Potential Remote Credential Dumping Activity
 id: 6e2a900a-ced9-4e4a-a9c2-13e706f9518a
-status: experimental
+status: test
 description: Detects default filenames output from the execution of CrackMapExec and Impacket-secretsdump against an endpoint.
 references:
     - https://github.com/Porchetta-Industries/CrackMapExec

rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml

@@ -1,6 +1,6 @@
 title: Potential Persistence Via Notepad++ Plugins
 id: 54127bd4-f541-4ac3-afdb-ea073f63f692
-status: experimental
+status: test
 description: Detects creation of new ".dll" files inside the plugins directory of a notepad++ installation by a process other than "gup.exe". Which could indicates possible persistence
 references:
     - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/

rules/windows/file/file_event/file_event_win_ripzip_attack.yml

@@ -1,6 +1,6 @@
 title: Potential RipZip Attack on Startup Folder
 id: a6976974-ea6f-4e97-818e-ea08625c52cb
-status: experimental
+status: test
 description: |
     Detects a phishing attack which expands a ZIP file containing a malicious shortcut.
     If the victim expands the ZIP file via the explorer process, then the explorer process expands the malicious ZIP file and drops a malicious shortcut redirected to a backdoor into the Startup folder.

rules/windows/file/file_event/file_event_win_sam_dump.yml

@@ -1,6 +1,6 @@
 title: Potential SAM Database Dump
 id: 4e87b8e2-2ee9-4b2a-a715-4727d297ece0
-status: experimental
+status: test
 description: Detects the creation of files that look like exports of the local SAM (Security Account Manager)
 references:
     - https://github.com/search?q=CVE-2021-36934

rules/windows/file/file_event/file_event_win_susp_colorcpl.yml

@@ -1,6 +1,6 @@
 title: Suspicious Creation with Colorcpl
 id: e15b518d-b4ce-4410-a9cd-501f23ce4a18
-status: experimental
+status: test
 description: Once executed, colorcpl.exe will copy the arbitrary file to c:\windows\system32\spool\drivers\color\
 references:
     - https://twitter.com/eral4m/status/1480468728324231172?s=20

rules/windows/file/file_rename/file_rename_win_not_dll_to_dll.yml

@@ -1,6 +1,6 @@
 title: Rename Common File to DLL File
 id: bbfd974c-248e-4435-8de6-1e938c79c5c1
-status: experimental
+status: test
 description: Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection
 references:
     - https://twitter.com/ffforward/status/1481672378639912960

rules/windows/file/file_rename/file_rename_win_ransomware.yml

@@ -1,6 +1,6 @@
 title: Suspicious Appended Extension
 id: e3f673b3-65d1-4d80-9146-466f8b63fa99
-status: experimental
+status: test
 description: Detects file renames where the target filename uses an uncommon double extension. Could indicate potential ransomware activity renaming files and adding a custom extension to the encrypted files, such as ".jpg.crypted", ".docx.locky", etc.
 references:
     - https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/

rules/windows/image_load/image_load_side_load_coregen.yml

@@ -1,6 +1,6 @@
 title: Potential DLL Sideloading Using Coregen.exe
 id: 0fa66f66-e3f6-4a9c-93f8-4f2610b00171
-status: experimental
+status: test
 description: Detect usage of DLL "coregen.exe" (Microsoft CoreCLR Native Image Generator) binary to sideload arbitrary DLLs.
 references:
     - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Coregen/

rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml

@@ -1,6 +1,6 @@
 title: PowerShell Get Clipboard
 id: 4cbd4f12-2e22-43e3-882f-bff3247ffb78
-status: experimental
+status: test
 description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
 references:
     - https://github.com/OTRF/detection-hackathon-apt29/issues/16

rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml

@@ -3,7 +3,7 @@ id: 2f211361-7dce-442d-b78a-c04039677378
 related:
     - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
       type: derived
-status: experimental
+status: test
 description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
 references:
     - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888

rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml

@@ -3,7 +3,7 @@ id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb
 related:
     - id: e55a5195-4724-480e-a77e-3ebe64bd3759
       type: derived
-status: experimental
+status: test
 description: Detects Obfuscated Powershell via use MSHTA in Scripts
 references:
     - https://github.com/SigmaHQ/sigma/issues/1009 # (Task31)

rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml

@@ -5,7 +5,7 @@ related:
       type: derived
     - id: ed965133-513f-41d9-a441-e38076a0798f
       type: similar
-status: experimental
+status: test
 description: Detects suspicious PowerShell invocation command parameters
 author: Florian Roth (Nextron Systems)
 date: 2017/03/12