Merge PR SigmaHQ#4867 from @nasbench - Promote older rules status fro…

…m `experimental` to `test`

chore: promote older rules status from experimental to test

Co-authored-by: nasbench <[email protected]>

rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-27997 Exploitation Indicators
 id: 31e4e649-7394-4fd2-9ae7-dbc61eebb550
-status: experimental
+status: test
 description: |
     Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs.
     To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter

rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml

@@ -1,6 +1,6 @@
 title: MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
 id: 435e41f2-48eb-4c95-8a2b-ed24b50ec30b
-status: experimental
+status: test
 description: Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
 references:
     - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-36884 Exploitation Dropped File
 id: 8023d3a2-dcdc-44da-8fa9-5c7906e55b38
-status: experimental
+status: test
 description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
 references:
     - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-36884 Exploitation Pattern
 id: 0066d244-c277-4c3e-88ec-9e7b777cc8bc
-status: experimental
+status: test
 description: Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884
 references:
     - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2303-36884 URL Request Pattern Traffic
 id: d9365e39-febd-4a4b-8441-3ca91bb9d333
-status: experimental
+status: test
 description: Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884
 references:
     - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-36884 Exploitation - File Downloads
 id: 6af1617f-c179-47e3-bd66-b28034a1052d
-status: experimental
+status: test
 description: Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884
 references:
     - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-36884 Exploitation - URL Marker
 id: e59f71ff-c042-4f7a-8a82-8f53beea817e
-status: experimental
+status: test
 description: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
 references:
     - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-36884 Exploitation - Share Access
 id: 3df95076-9e78-4e63-accb-16699c3b74f8
-status: experimental
+status: test
 description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
 references:
     - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

rules-threat-hunting/windows/powershell/powershell_module/posh_pm_susp_netfirewallrule_recon.yml

@@ -1,6 +1,6 @@
 title: Local Firewall Rules Enumeration Via NetFirewallRule Cmdlet
 id: ea207a23-b441-4a17-9f76-ad5be47d51d3
-status: experimental
+status: test
 description: Detects execution of "Get-NetFirewallRule" or "Show-NetFirewallRule" to enumerate the local firewall rules on a host.
 references:
     - https://learn.microsoft.com/en-us/powershell/module/netsecurity/get-netfirewallrule?view=windowsserver2022-ps

rules-threat-hunting/windows/powershell/powershell_script/posh_ps_mailbox_access.yml

@@ -1,6 +1,6 @@
 title: Windows Mail App Mailbox Access Via PowerShell Script
 id: 4e485d01-e18a-43f6-a46b-ef20496fa9d3
-status: experimental
+status: test
 description: Detects PowerShell scripts that try to access the default Windows MailApp MailBox. This indicates manipulation of or access to the stored emails of a user. E.g. this could be used by an attacker to exfiltrate or delete the content of the emails.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1070.008/T1070.008.md

rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_smbmapping_quic.yml

@@ -3,7 +3,7 @@ id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae
 related:
     - id: 2238d337-42fb-4971-9a68-63570f2aede4
       type: similar
-status: experimental
+status: test
 description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md

rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_functions_access.yml

@@ -7,7 +7,7 @@ related:
       type: similar
     - id: 9f22ccd5-a435-453b-af96-bf99cbb594d4
       type: similar
-status: experimental
+status: test
 description: Detects calls to WinAPI libraries from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse

rules-threat-hunting/windows/powershell/powershell_script/posh_ps_win_api_library_access.yml

@@ -7,7 +7,7 @@ related:
       type: similar
     - id: 19d65a1c-8540-4140-8062-8eb00db0bba5
       type: similar
-status: experimental
+status: test
 description: Detects calls to WinAPI functions from PowerShell scripts. Attackers can often leverage these APIs to avoid detection based on typical PowerShell function calls. Use this rule as a basis to hunt for interesting scripts.
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse

rules-threat-hunting/windows/process_creation/proc_creation_win_csc_compilation.yml

@@ -3,7 +3,7 @@ id: acf2807c-805b-4042-aab9-f86b6ba9cb2b
 related:
     - id: dcaa3f04-70c3-427a-80b4-b870d73c94c4
       type: derived
-status: experimental
+status: test
 description: Detects execution of "csc.exe" to compile .NET code. Attackers often leverage this to compile code on the fly and use it in other stages.
 references:
     - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/

rules-threat-hunting/windows/process_creation/proc_creation_win_net_quic.yml

@@ -3,7 +3,7 @@ id: 2238d337-42fb-4971-9a68-63570f2aede4
 related:
     - id: 6df07c3b-8456-4f8b-87bb-fe31ec964cae
       type: similar
-status: experimental
+status: test
 description: Detects the mounting of Windows SMB shares over QUIC, which can be an unexpected event in some enterprise environments.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1570/T1570.md

rules/linux/process_creation/proc_creation_lnx_ssm_agent_abuse.yml

@@ -1,6 +1,6 @@
 title: Potential Linux Amazon SSM Agent Hijacking
 id: f9b3edc5-3322-4fc7-8aa3-245d646cc4b7
-status: experimental
+status: test
 description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
 references:
     - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan

rules/windows/builtin/system/service_control_manager/win_system_service_install_sysinternals_psexec.yml

@@ -1,6 +1,6 @@
 title: PsExec Service Installation
 id: 42c575ea-e41e-41f1-b248-8093c3e82a28
-status: experimental
+status: test
 description: Detects PsExec service installation and execution events
 references:
     - https://www.jpcert.or.jp/english/pub/sr/ir_research.html

rules/windows/file/file_event/file_event_win_susp_windows_terminal_profile.yml

@@ -1,6 +1,6 @@
 title: Windows Terminal Profile Settings Modification By Uncommon Process
 id: 9b64de98-9db3-4033-bd7a-f51430105f00
-status: experimental
+status: test
 description: Detects the creation or modification of the Windows Terminal Profile settings file "settings.json" by an uncommon process.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1547.015/T1547.015.md#atomic-test-1---persistence-by-modifying-windows-terminal-profile

rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml

@@ -1,6 +1,6 @@
 title: CredUI.DLL Loaded By Uncommon Process
 id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
-status: experimental
+status: test
 description: Detects loading of "credui.dll" and related DLLs by an uncommon process. Attackers might leverage this DLL for potential use of "CredUIPromptForCredentials" or "CredUnPackAuthenticationBufferW".
 references:
     - https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html

rules/windows/image_load/image_load_side_load_abused_dlls_susp_paths.yml

@@ -1,6 +1,6 @@
 title: Abusable DLL Potential Sideloading From Suspicious Location
 id: 799a5f48-0ac1-4e0f-9152-71d137d48c2a
-status: experimental
+status: test
 description: Detects potential DLL sideloading of DLLs that are known to be abused from suspicious locations
 references:
     - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html

rules/windows/image_load/image_load_side_load_avkkid.yml

@@ -1,6 +1,6 @@
 title: Potential AVKkid.DLL Sideloading
 id: 952ed57c-8f99-453d-aee0-53a49c22f95d
-status: experimental
+status: test
 description: Detects potential DLL sideloading of "AVKkid.dll"
 references:
     - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/

rules/windows/image_load/image_load_side_load_ccleaner_du.yml

@@ -1,6 +1,6 @@
 title: Potential CCleanerDU.DLL Sideloading
 id: 1fbc0671-5596-4e17-8682-f020a0b995dc
-status: experimental
+status: test
 description: Detects potential DLL sideloading of "CCleanerDU.dll"
 references:
     - https://lab52.io/blog/2344-2/

rules/windows/image_load/image_load_side_load_ccleaner_reactivator.yml

@@ -1,6 +1,6 @@
 title: Potential CCleanerReactivator.DLL Sideloading
 id: 3735d5ac-d770-4da0-99ff-156b180bc600
-status: experimental
+status: test
 description: Detects potential DLL sideloading of "CCleanerReactivator.dll"
 references:
     - https://lab52.io/blog/2344-2/

rules/windows/image_load/image_load_side_load_eacore.yml

@@ -1,6 +1,6 @@
 title: Potential EACore.DLL Sideloading
 id: edd3ddc3-386f-4ba5-9ada-4376b2cfa7b5
-status: experimental
+status: test
 description: Detects potential DLL sideloading of "EACore.dll"
 references:
     - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/

rules/windows/image_load/image_load_side_load_mfdetours.yml

@@ -1,6 +1,6 @@
 title: Potential Mfdetours.DLL Sideloading
 id: d2605a99-2218-4894-8fd3-2afb7946514d
-status: experimental
+status: test
 description: Detects potential DLL sideloading of "mfdetours.dll". While using "mftrace.exe" it can be abused to attach to an arbitrary process and force load any DLL named "mfdetours.dll" from the current directory of execution.
 references:
     - Internal Research

rules/windows/image_load/image_load_side_load_vivaldi_elf.yml

@@ -1,6 +1,6 @@
 title: Potential Vivaldi_elf.DLL Sideloading
 id: 2092cacb-d77b-4f98-ab0d-32b32f99a054
-status: experimental
+status: test
 description: Detects potential DLL sideloading of "vivaldi_elf.dll"
 references:
     - https://research.checkpoint.com/2023/beyond-the-horizon-traveling-the-world-on-camaro-dragons-usb-flash-drives/

rules/windows/image_load/image_load_side_load_windows_defender.yml

@@ -3,7 +3,7 @@ id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
 related:
     - id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
       type: similar
-status: experimental
+status: test
 description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
 references:
     - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool

rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml

@@ -1,6 +1,6 @@
 title: Active Directory Computers Enumeration With Get-AdComputer
 id: 36bed6b2-e9a0-4fff-beeb-413a92b86138
-status: experimental
+status: test
 description: Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
 references:
     - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer

rules/windows/powershell/powershell_script/posh_ps_set_acl.yml

@@ -7,7 +7,7 @@ related:
       type: derived
     - id: 3bf1d859-3a7e-44cb-8809-a99e066d3478 # PsScript High
       type: derived
-status: experimental
+status: test
 description: Detects PowerShell scripts set ACL to of a file or a folder
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md

rules/windows/powershell/powershell_script/posh_ps_set_acl_susp_location.yml

@@ -7,7 +7,7 @@ related:
       type: derived
     - id: bdeb2cff-af74-4094-8426-724dc937f20a # ProcCreation Low
       type: derived
-status: experimental
+status: test
 description: Detects PowerShell scripts to set the ACL to a file in the Windows folder
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/74438b0237d141ee9c99747976447dc884cb1a39/atomics/T1505.005/T1505.005.md

rules/windows/powershell/powershell_script/posh_ps_win32_nteventlogfile_usage.yml

@@ -1,6 +1,6 @@
 title: Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
 id: e2812b49-bae0-4b21-b366-7c142eafcde2
-status: experimental
+status: test
 description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
 references:
     - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)

rules/windows/process_creation/proc_creation_win_curl_cookie_hijacking.yml

@@ -1,6 +1,6 @@
 title: Potential Cookies Session Hijacking
 id: 5a6e1e16-07de-48d8-8aae-faa766c05e88
-status: experimental
+status: test
 description: Detects execution of "curl.exe" with the "-c" flag in order to save cookie data.
 references:
     - https://curl.se/docs/manpage.html

rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml

@@ -1,6 +1,6 @@
 title: Curl Web Request With Potential Custom User-Agent
 id: 85de1f22-d189-44e4-8239-dc276b45379b
-status: experimental
+status: test
 description: Detects execution of "curl.exe" with a potential custom "User-Agent". Attackers can leverage this to download or exfiltrate data via "curl" to a domain that only accept specific "User-Agent" strings
 references:
     - https://labs.withsecure.com/publications/fin7-target-veeam-servers

rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml

@@ -1,6 +1,6 @@
 title: Suspicious File Download From IP Via Curl.EXE
 id: 5cb299fc-5fb1-4d07-b989-0644c68b6043
-status: experimental
+status: test
 description: Detects potentially suspicious file downloads directly from IP addresses using curl.exe
 references:
     - https://labs.withsecure.com/publications/fin7-target-veeam-servers

rules/windows/process_creation/proc_creation_win_curl_insecure_porxy_or_doh.yml

@@ -1,6 +1,6 @@
 title: Insecure Proxy/DOH Transfer Via Curl.EXE
 id: 2c1486f5-02e8-4f86-9099-b97f2da4ed77
-status: experimental
+status: test
 description: Detects execution of "curl.exe" with the "insecure" flag over proxy or DOH.
 references:
     - https://curl.se/docs/manpage.html

rules/windows/process_creation/proc_creation_win_curl_local_file_read.yml

@@ -1,6 +1,6 @@
 title: Local File Read Using Curl.EXE
 id: aa6f6ea6-0676-40dd-b510-6e46f02d8867
-status: experimental
+status: test
 description: Detects execution of "curl.exe" with the "file://" protocol handler in order to read local files.
 references:
     - https://curl.se/docs/manpage.html

rules/windows/process_creation/proc_creation_win_mftrace_child_process.yml

@@ -1,6 +1,6 @@
 title: Potential Mftrace.EXE Abuse
 id: 3d48c9d3-1aa6-418d-98d3-8fd3c01a564e
-status: experimental
+status: test
 description: Detects child processes of the "Trace log generation tool for Media Foundation Tools" (Mftrace.exe) which can abused to execute arbitrary binaries.
 references:
     - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Mftrace/

rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml

@@ -3,7 +3,7 @@ id: 7002aa10-b8d4-47ae-b5ba-51ab07e228b9
 related:
     - id: 418dc89a-9808-4b87-b1d7-e5ae0cb6effc
       type: similar
-status: experimental
+status: test
 description: Detects potential sideloading of "mpclient.dll" by Windows Defender processes ("MpCmdRun" and "NisSrv") from their non-default directory.
 references:
     - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool

rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml

@@ -1,6 +1,6 @@
 title: Windows Internet Hosted WebDav Share Mount Via Net.EXE
 id: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0
-status: experimental
+status: test
 description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility
 references:
     - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view

rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml

@@ -3,7 +3,7 @@ id: 86588b36-c6d3-465f-9cee-8f9093e07798
 related:
     - id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78
       type: derived
-status: experimental
+status: test
 description: Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
 references:
     - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/

rules/windows/process_creation/proc_creation_win_ssm_agent_abuse.yml

@@ -1,6 +1,6 @@
 title: Potential Amazon SSM Agent Hijacking
 id: d20ee2f4-822c-4827-9e15-41500b1fff10
-status: experimental
+status: test
 description: Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.
 references:
     - https://www.mitiga.io/blog/mitiga-security-advisory-abusing-the-ssm-agent-as-a-remote-access-trojan

rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml

@@ -1,6 +1,6 @@
 title: Potential Data Exfiltration Activity Via CommandLine Tools
 id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
-status: experimental
+status: test
 description: Detects the use of various CLI utilities exfiltrating data via web requests
 references:
     - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/

rules/windows/process_creation/proc_creation_win_susp_nteventlogfile_usage.yml

@@ -3,7 +3,7 @@ id: caf201a9-c2ce-4a26-9c3a-2b9525413711
 related:
     - id: e2812b49-bae0-4b21-b366-7c142eafcde2
       type: similar
-status: experimental
+status: test
 description: Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script
 references:
     - https://learn.microsoft.com/en-us/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)

rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml

@@ -3,7 +3,7 @@ id: 3ef5605c-9eb9-47b0-9a71-b727e6aa5c3b
 related:
     - id: dd6b39d9-d9be-4a3b-8fe0-fe3c6a5c1795
       type: similar
-status: experimental
+status: test
 description: Detect use of the Windows 8.3 short name. Which could be used as a method to avoid Image based detection
 references:
     - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/

rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml

@@ -1,6 +1,6 @@
 title: VMToolsd Suspicious Child Process
 id: 5687f942-867b-4578-ade7-1e341c46e99a
-status: experimental
+status: test
 description: Detects suspicious child process creations of VMware Tools process which may indicate persistence setup
 references:
     - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/

rules/windows/process_creation/proc_creation_win_vsdiagnostics_execution_proxy.yml

@@ -1,6 +1,6 @@
 title: Potential Binary Proxy Execution Via VSDiagnostics.EXE
 id: ac1c92b4-ac81-405a-9978-4604d78cc47e
-status: experimental
+status: test
 description: Detects execution of "VSDiagnostics.exe" with the "start" command in order to launch and proxy arbitrary binaries.
 references:
     - https://twitter.com/0xBoku/status/1679200664013135872

rules/windows/process_creation/proc_creation_win_wget_download_direct_ip.yml

@@ -1,6 +1,6 @@
 title: Suspicious File Download From IP Via Wget.EXE
 id: 17f0c0a8-8bd5-4ee0-8c5f-a342c0199f35
-status: experimental
+status: test
 description: Detects potentially suspicious file downloads directly from IP addresses using Wget.exe
 references:
     - https://www.gnu.org/software/wget/manual/wget.html

rules/windows/sysmon/sysmon_file_block_shredding.yml

@@ -1,6 +1,6 @@
 title: Sysmon Blocked File Shredding
 id: c3e5c1b1-45e9-4632-b242-27939c170239
-status: experimental
+status: test
 description: Triggers on any Sysmon "FileBlockShredding" event, which indicates a violation of the configured shredding policy.
 references:
     - https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon