Merge PR SigmaHQ#4841 from @nasbench - Promote older rules status fro…

…m `experimental` to `test`

chore: promote older rules status from "experimental" to "test"

rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml

@@ -1,6 +1,6 @@
 title: Suspicious Word Cab File Write CVE-2021-40444
 id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
-status: experimental
+status: test
 description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
 references:
     - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20

rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-2283 Exploitation
 id: 8b244735-5833-4517-a45b-28d8c63924c0
-status: experimental
+status: test
 description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
 references:
     - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20

rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-25157 Exploitation Attempt
 id: c0341543-5ed0-4475-aabc-7eea8c52aa66
-status: experimental
+status: test
 description: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
 references:
     - https://github.com/win3zz/CVE-2023-25157

rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_exfil_mail_pattern.yml

@@ -1,6 +1,6 @@
 title: UNC4841 - Email Exfiltration File Pattern
 id: 0785f462-60b0-4031-9ff4-b4f3a0ba589a
-status: experimental
+status: test
 description: Detects filename pattern of email related data used by UNC4841 for staging and exfiltration
 references:
     - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally

rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/file_event_lnx_apt_unc4841_file_indicators.yml

@@ -1,6 +1,6 @@
 title: UNC4841 - Barracuda ESG Exploitation Indicators
 id: 5627c337-a9b2-407a-a82d-5fd97035ff39
-status: experimental
+status: test
 description: Detects file indicators as seen used by UNC4841 during their Barracuda ESG zero day exploitation.
 references:
     - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally

rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_openssl_connection.yml

@@ -1,6 +1,6 @@
 title: UNC4841 - SSL Certificate Exfiltration Via Openssl
 id: 60911c07-f989-4362-84af-c609828ef829
-status: experimental
+status: test
 description: Detects the execution of "openssl" to connect to an IP address. This techniques was used by UNC4841 to exfiltrate SSL certificates and as a C2 channel with named pipes. Investigate commands executed in the temporal vicinity of this command.
 references:
     - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally

rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_compressed_file_tmep_sh.yml

@@ -1,6 +1,6 @@
 title: UNC4841 - Download Compressed Files From Temp.sh Using Wget
 id: 60d050c4-e253-4d9a-b673-5ac100cfddfb
-status: experimental
+status: test
 description: Detects execution of "wget" to download a ".zip" or ".rar" files from "temp.sh". As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
 references:
     - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally

rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_apt_unc4841_wget_download_tar_files_direct_ip.yml

@@ -1,6 +1,6 @@
 title: UNC4841 - Download Tar File From Untrusted Direct IP Via Wget
 id: 23835beb-ec38-4e74-a5d4-b99af6684e91
-status: experimental
+status: test
 description: Detects execution of "wget" to download a "tar" from an IP address that doesn't have a trusted certificate. As seen used by UNC4841 during their Barracuda ESG zero day exploitation.
 references:
     - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally

rules-emerging-threats/2023/TA/UNC4841-Barracuda-ESG-Zero-Day-Exploitation/proc_creation_lnx_atp_unc4841_seaspy_execution.yml

@@ -1,6 +1,6 @@
 title: UNC4841 - Potential SEASPY Execution
 id: f6a711f3-d032-4f9e-890b-bbe776236c84
-status: experimental
+status: test
 description: Detects execution of specific named binaries which were used by UNC4841 to deploy their SEASPY backdoor
 references:
     - https://www.mandiant.com/resources/blog/barracuda-esg-exploited-globally

rules-threat-hunting/windows/powershell/powershell_script/posh_ps_registry_reconnaissance.yml

@@ -3,7 +3,7 @@ id: 064060aa-09fb-4636-817f-020a32aa7e9e
 related:
     - id: 970007b7-ce32-49d0-a4a4-fbef016950bd
       type: similar
-status: experimental
+status: test
 description: Detects PowerShell scripts with potential registry reconnaissance capabilities. Adversaries may interact with the Windows registry to gather information about the system credentials, configuration, and installed software.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1012/T1012.md

rules-threat-hunting/windows/process_creation/proc_creation_win_dfsvc_child_processes.yml

@@ -1,6 +1,6 @@
 title: ClickOnce Deployment Execution - Dfsvc.EXE Child Process
 id: 241d52b5-eee0-49d0-ac8a-8b9c15c7221c
-status: experimental
+status: test
 description: Detects child processes of "dfsvc" which indicates a ClickOnce deployment execution.
 references:
     - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5

rules/linux/process_creation/proc_creation_lnx_base64_execution.yml

@@ -1,6 +1,6 @@
 title: Linux Base64 Encoded Pipe to Shell
 id: ba592c6d-6888-43c3-b8c6-689b8fe47337
-status: experimental
+status: test
 description: Detects suspicious process command line that uses base64 encoded input for execution with a shell
 references:
     - https://github.com/arget13/DDexec

rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation.yml

@@ -1,6 +1,6 @@
 title: Named Pipe Created Via Mkfifo
 id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
-status: experimental
+status: test
 description: Detects the creation of a new named pipe using the "mkfifo" utility
 references:
     - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk

rules/linux/process_creation/proc_creation_lnx_mkfifo_named_pipe_creation_susp_location.yml

@@ -3,7 +3,7 @@ id: 999c3b12-0a8c-40b6-8e13-dd7d62b75c7a
 related:
     - id: 9d779ce8-5256-4b13-8b6f-b91c602b43f4
       type: derived
-status: experimental
+status: test
 description: Detects the creation of a new named pipe using the "mkfifo" utility in a potentially suspicious location
 references:
     - https://dev.to/0xbf/use-mkfifo-to-create-named-pipe-linux-tips-5bbk

rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml

@@ -3,7 +3,7 @@ id: c4042d54-110d-45dd-a0e1-05c47822c937
 related:
     - id: 32e62bc7-3de0-4bb1-90af-532978fe42c0
       type: similar
-status: experimental
+status: test
 description: Detects python spawning a pretty tty which could be indicative of potential reverse shell activity
 references:
     - https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence/

rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml

@@ -1,6 +1,6 @@
 title: CodeIntegrity - Blocked Image/Driver Load For Policy Violation
 id: e4be5675-4a53-426a-8c81-a8bb2387e947
-status: experimental
+status: test
 description: Detects blocked load events that did not meet the authenticode signing level requirements or violated the code integrity policy.
 references:
     - https://twitter.com/wdormann/status/1590434950335320065

rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml

@@ -1,6 +1,6 @@
 title: CodeIntegrity - Unmet WHQL Requirements For Loaded Kernel Module
 id: 2f8cd7a0-9d5a-4f62-9f8b-2c951aa0dd1f
-status: experimental
+status: test
 description: Detects loaded kernel modules that did not meet the WHQL signing requirements.
 references:
     - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations

rules/windows/builtin/firewall_as/win_firewall_as_delete_rule.yml

@@ -1,6 +1,6 @@
 title: A Rule Has Been Deleted From The Windows Firewall Exception List
 id: c187c075-bb3e-4c62-b4fa-beae0ffc211f
-status: experimental
+status: test
 description: Detects when a single rules or all of the rules have been deleted from the Windows Defender Firewall
 references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)

rules/windows/builtin/system/service_control_manager/win_system_service_install_remote_access_software.yml

@@ -3,7 +3,7 @@ id: 1a31b18a-f00c-4061-9900-f735b96c99fc
 related:
     - id: c8b00925-926c-47e3-beea-298fd563728e
       type: similar
-status: experimental
+status: test
 description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform
 references:
     - https://redcanary.com/blog/misbehaving-rats/

rules/windows/create_stream_hash/create_stream_hash_creation_internet_file.yml

@@ -1,6 +1,6 @@
 title: Creation Of a Suspicious ADS File Outside a Browser Download
 id: 573df571-a223-43bc-846e-3f98da481eca
-status: experimental
+status: test
 description: Detects the creation of a suspicious ADS (Alternate Data Stream) file by software other than browsers
 references:
     - https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/

rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml

@@ -1,6 +1,6 @@
 title: File With Uncommon Extension Created By An Office Application
 id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4
-status: experimental
+status: test
 description: Detects the creation of files with an executable or script extension by an Office application.
 references:
     - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/

rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_exe.yml

@@ -1,6 +1,6 @@
 title: Legitimate Application Dropped Executable
 id: f0540f7e-2db3-4432-b9e0-3965486744bc
-status: experimental
+status: test
 description: Detects programs on a Windows system that should not write executables to disk
 references:
     - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326

rules/windows/file/file_event/file_event_win_susp_legitimate_app_dropping_script.yml

@@ -1,6 +1,6 @@
 title: Legitimate Application Dropped Script
 id: 7d604714-e071-49ff-8726-edeb95a70679
-status: experimental
+status: test
 description: Detects programs on a Windows system that should not write scripts to disk
 references:
     - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326

rules/windows/image_load/image_load_side_load_7za.yml

@@ -1,6 +1,6 @@
 title: Potential 7za.DLL Sideloading
 id: 4f6edb78-5c21-42ab-a558-fd2a6fc1fd57
-status: experimental
+status: test
 description: Detects potential DLL sideloading of "7za.dll"
 references:
     - https://www.gov.pl/attachment/ee91f24d-3e67-436d-aa50-7fa56acf789d

rules/windows/image_load/image_load_side_load_appverifui.yml

@@ -1,6 +1,6 @@
 title: Potential appverifUI.DLL Sideloading
 id: ee6cea48-c5b6-4304-a332-10fc6446f484
-status: experimental
+status: test
 description: Detects potential DLL sideloading of "appverifUI.dll"
 references:
     - https://fatrodzianko.com/2020/02/15/dll-side-loading-appverif-exe/

rules/windows/image_load/image_load_side_load_edputil.yml

@@ -1,6 +1,6 @@
 title: Potential Edputil.DLL Sideloading
 id: e4903324-1a10-4ed3-981b-f6fe3be3a2c2
-status: experimental
+status: test
 description: Detects potential DLL sideloading of "edputil.dll"
 references:
     - https://alternativeto.net/news/2023/5/cybercriminals-use-wordpad-vulnerability-to-spread-qbot-malware/

rules/windows/image_load/image_load_side_load_rjvplatform_default_location.yml

@@ -1,6 +1,6 @@
 title: Potential RjvPlatform.DLL Sideloading From Default Location
 id: 259dda31-b7a3-444f-b7d8-17f96e8a7d0d
-status: experimental
+status: test
 description: Detects loading of "RjvPlatform.dll" by the "SystemResetPlatform.exe" binary which can be abused as a method of DLL side loading since the "$SysReset" directory isn't created by default.
 references:
     - https://twitter.com/0gtweet/status/1666716511988330499

rules/windows/image_load/image_load_side_load_rjvplatform_non_default_location.yml

@@ -1,6 +1,6 @@
 title: Potential RjvPlatform.DLL Sideloading From Non-Default Location
 id: 0e0bc253-07ed-43f1-816d-e1b220fe8971
-status: experimental
+status: test
 description: Detects potential DLL sideloading of "RjvPlatform.dll" by "SystemResetPlatform.exe" located in a non-default location.
 references:
     - https://twitter.com/0gtweet/status/1666716511988330499

rules/windows/image_load/image_load_side_load_shelldispatch.yml

@@ -1,6 +1,6 @@
 title: Potential ShellDispatch.DLL Sideloading
 id: 844f8eb2-610b-42c8-89a4-47596e089663
-status: experimental
+status: test
 description: Detects potential DLL sideloading of "ShellDispatch.dll"
 references:
     - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/

rules/windows/image_load/image_load_side_load_waveedit.yml

@@ -1,6 +1,6 @@
 title: Potential Waveedit.DLL Sideloading
 id: 71b31e99-9ad0-47d4-aeb5-c0ca3928eeeb
-status: experimental
+status: test
 description: Detects potential DLL sideloading of "waveedit.dll", which is part of the Nero WaveEditor audio editing software.
 references:
     - https://www.trendmicro.com/en_us/research/23/f/behind-the-scenes-unveiling-the-hidden-workings-of-earth-preta.html

rules/windows/image_load/image_load_susp_clickonce_unsigned_module_loaded.yml

@@ -1,6 +1,6 @@
 title: Unsigned Module Loaded by ClickOnce Application
 id: 060d5ad4-3153-47bb-8382-43e5e29eda92
-status: experimental
+status: test
 description: Detects unsigned module load by ClickOnce application.
 references:
     - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5

rules/windows/powershell/powershell_script/posh_ps_win_api_susp_access.yml

@@ -3,7 +3,7 @@ id: 03d83090-8cba-44a0-b02f-0b756a050306
 related:
     - id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
       type: similar
-status: experimental
+status: test
 description: Detects use of WinAPI functions in PowerShell scripts
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse

rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml

@@ -1,6 +1,6 @@
 title: Potential Adplus.EXE Abuse
 id: 2f869d59-7f6a-4931-992c-cce556ff2d53
-status: experimental
+status: test
 description: Detects execution of "AdPlus.exe", a binary that is part of the Windows SDK that can be used as a LOLBIN in order to dump process memory and execute arbitrary commands.
 references:
     - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/

rules/windows/process_creation/proc_creation_win_curl_insecure_connection.yml

@@ -1,6 +1,6 @@
 title: Insecure Transfer Via Curl.EXE
 id: cb9cc1d1-e84e-4bdc-b7ad-c31b1b7908ec
-status: experimental
+status: test
 description: Detects execution of "curl.exe" with the "--insecure" flag.
 references:
     - https://curl.se/docs/manpage.html

rules/windows/process_creation/proc_creation_win_dfsvc_suspicious_child_processes.yml

@@ -1,6 +1,6 @@
 title: Potentially Suspicious Child Process Of ClickOnce Application
 id: 67bc0e75-c0a9-4cfc-8754-84a505b63c04
-status: experimental
+status: test
 description: Detects potentially suspicious child processes of a ClickOnce deployment application
 references:
     - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5

rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml

@@ -1,6 +1,6 @@
 title: Gpscript Execution
 id: 1e59c230-6670-45bf-83b0-98903780607e
-status: experimental
+status: test
 description: Detects the execution of the LOLBIN gpscript, which executes logon or startup scripts configured in Group Policy
 references:
     - https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/

rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml

@@ -3,7 +3,7 @@ id: 4ae3e30b-b03f-43aa-87e3-b622f4048eed
 related:
     - id: 0c79148b-118e-472b-bdb7-9b57b444cc19
       type: obsoletes
-status: experimental
+status: test
 description: Detects potential arbitrary file download using a Microsoft Office application
 references:
     - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/

rules/windows/process_creation/proc_creation_win_registry_logon_script.yml

@@ -3,7 +3,7 @@ id: 21d856f9-9281-4ded-9377-51a1a6e2a432
 related:
     - id: 0a98a10c-685d-4ab0-bddc-b6bdd1d48458
       type: derived
-status: experimental
+status: test
 description: Detects the addition of a new LogonScript to the registry value "UserInitMprLogonScript" for potential persistence
 references:
     - https://cocomelonc.github.io/persistence/2022/12/09/malware-pers-20.html

rules/windows/process_creation/proc_creation_win_rundll32_shelldispatch_potential_abuse.yml

@@ -1,6 +1,6 @@
 title: Potential ShellDispatch.DLL Functionality Abuse
 id: 82343930-652f-43f5-ab70-2ee9fdd6d5e9
-status: experimental
+status: test
 description: Detects potential "ShellDispatch.dll" functionality abuse to execute arbitrary binaries via "ShellExecute"
 references:
     - https://www.hexacorn.com/blog/2023/06/07/this-lolbin-doesnt-exist/

rules/windows/process_creation/proc_creation_win_sndvol_susp_child_processes.yml

@@ -1,6 +1,6 @@
 title: Uncommon Child Processes Of SndVol.exe
 id: ba42babc-0666-4393-a4f7-ceaf5a69191e
-status: experimental
+status: test
 description: Detects potentially uncommon child processes of SndVol.exe (the Windows volume mixer)
 references:
     - https://twitter.com/Max_Mal_/status/1661322732456353792

rules/windows/process_creation/proc_creation_win_tpmvscmgr_add_virtual_smartcard.yml

@@ -1,6 +1,6 @@
 title: New Virtual Smart Card Created Via TpmVscMgr.EXE
 id: c633622e-cab9-4eaa-bb13-66a1d68b3e47
-status: experimental
+status: test
 description: Detects execution of "Tpmvscmgr.exe" to create a new virtual smart card.
 references:
     - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr

rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml

@@ -3,7 +3,7 @@ id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d
 related:
     - id: 236d8e89-ed95-4789-a982-36f4643738ba
       type: derived
-status: experimental
+status: test
 description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
 references:
     - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/

rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence_susp.yml

@@ -3,7 +3,7 @@ id: 236d8e89-ed95-4789-a982-36f4643738ba
 related:
     - id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d
       type: derived
-status: experimental
+status: test
 description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state
 references:
     - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/

rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml

@@ -3,7 +3,7 @@ id: fabfb3a7-3ce1-4445-9c7c-3c27f1051cdd
 related:
     - id: 0cf2e1c6-8d10-4273-8059-738778f981ad
       type: derived
-status: experimental
+status: test
 description: Detects execution of "WerFault.exe" with the "-pr" commandline flag that is used to run files stored in the ReflectDebugger key which could be used to store the path to the malware in order to masquerade the execution flow
 references:
     - https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html

rules/windows/process_creation/proc_creation_win_wscript_cscript_uncommon_extension_exec.yml

@@ -1,6 +1,6 @@
 title: Cscript/Wscript Uncommon Script Extension Execution
 id: 99b7460d-c9f1-40d7-a316-1f36f61d52ee
-status: experimental
+status: test
 description: Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension
 references:
     - Internal Research