Merge PR #4611 from @nasbench - Promote Older Rules Status From `expe…

…rimental` To `test`

chore: promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>

rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml

@@ -1,6 +1,6 @@
 title: Potential Exploitation Attempt From Office Application
 id: 868955d9-697e-45d4-a3da-360cefd7c216
-status: experimental
+status: test
 description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
 references:
     - https://twitter.com/sbousseaden/status/1531653369546301440

rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2022-26809 Exploitation Attempt
 id: a7cd7306-df8b-4398-b711-6f3e4935cf16
-status: experimental
+status: test
 description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
 references:
     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809

rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
 id: 1b2eeb27-949b-4704-8bfa-d8e5cfa045a1
-status: experimental
+status: test
 description: Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877
 references:
     - https://seclists.org/fulldisclosure/2023/Jan/1

rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml

@@ -1,6 +1,6 @@
 title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE
 id: 6d5b8176-d87d-4402-8af4-53aee9db7b5d
-status: experimental
+status: test
 description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
 references:
     - https://github.com/SigmaHQ/sigma/pull/3946

rules-threat-hunting/windows/builtin/security/win_security_scheduled_task_deletion.yml

@@ -1,6 +1,6 @@
 title: Scheduled Task Deletion
 id: 4f86b304-3e02-40e3-aa5d-e88a167c9617
-status: experimental
+status: test
 description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME
 references:
     - https://twitter.com/matthewdunwoody/status/1352356685982146562

rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml

@@ -1,6 +1,6 @@
 title: Suspicious SignIns From A Non Registered Device
 id: 572b12d4-9062-11ed-a1eb-0242ac120002
-status: experimental
+status: test
 description: Detects risky authencaition from a non AD registered device without MFA being required.
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in

rules/cloud/github/github_delete_action_invoked.yml

@@ -1,6 +1,6 @@
 title: Github Delete Action Invoked
 id: 16a71777-0b2e-4db7-9888-9d59cb75200b
-status: experimental
+status: test
 description: Detects delete action in the Github audit logs for codespaces, environment, project and repo.
 author: Muhammad Faisal
 date: 2023/01/19

rules/cloud/github/github_disable_high_risk_configuration.yml

@@ -1,6 +1,6 @@
 title: Github High Risk Configuration Disabled
 id: 8622c92d-c00e-463c-b09d-fd06166f6794
-status: experimental
+status: test
 description: Detects when a user disables a critical security feature for an organization.
 author: Muhammad Faisal
 date: 2023/01/29

rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml

@@ -1,6 +1,6 @@
 title: Outdated Dependency Or Vulnerability Alert Disabled
 id: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d
-status: experimental
+status: test
 description: |
     Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.
     This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.

rules/cloud/github/github_new_org_member.yml

@@ -1,6 +1,6 @@
 title: New Github Organization Member Added
 id: 3908d64a-3c06-4091-b503-b3a94424533b
-status: experimental
+status: test
 description: Detects when a new member is added or invited to a github organization.
 author: Muhammad Faisal
 date: 2023/01/29

rules/cloud/github/github_new_secret_created.yml

@@ -1,6 +1,6 @@
 title: Github New Secret Created
 id: f9405037-bc97-4eb7-baba-167dad399b83
-status: experimental
+status: test
 description: Detects when a user creates action secret for the organization, environment, codespaces or repository.
 author: Muhammad Faisal
 date: 2023/01/20

rules/cloud/github/github_outside_collaborator_detected.yml

@@ -1,6 +1,6 @@
 title: Github Outside Collaborator Detected
 id: eaa9ac35-1730-441f-9587-25767bde99d7
-status: experimental
+status: test
 description: |
     Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
 author: Muhammad Faisal

rules/cloud/github/github_self_hosted_runner_changes_detected.yml

@@ -1,6 +1,6 @@
 title: Github Self Hosted Runner Changes Detected
 id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd
-status: experimental
+status: test
 description: |
     A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.
     This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,

rules/cloud/okta/okta_admin_role_assignment_created.yml

@@ -1,6 +1,6 @@
 title: Okta Admin Role Assignment Created
 id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
-status: experimental
+status: test
 description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
 references:
     - https://developer.okta.com/docs/reference/api/system-log/

rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml

@@ -1,6 +1,6 @@
 title: PwnKit Local Privilege Escalation
 id: 0506a799-698b-43b4-85a1-ac4c84c720e9
-status: experimental
+status: test
 description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
 references:
     - https://twitter.com/wdormann/status/1486161836961579020

rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml

@@ -1,6 +1,6 @@
 title: Nimbuspwn Exploitation
 id: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8
-status: experimental
+status: test
 description: Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)
 references:
     - https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/

rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml

@@ -1,6 +1,6 @@
 title: Potential Suspicious BPF Activity - Linux
 id: 0fadd880-6af3-4610-b1e5-008dc3a11b8a
-status: experimental
+status: test
 description: Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
 references:
     - https://redcanary.com/blog/ebpf-malware/

rules/linux/builtin/lnx_susp_dev_tcp.yml

@@ -1,6 +1,6 @@
 title: Suspicious Use of /dev/tcp
 id: 6cc5fceb-9a71-4c23-aeeb-963abe0b279c
-status: experimental
+status: test
 description: Detects suspicious command with /dev/tcp
 references:
     - https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/

rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml

@@ -1,6 +1,6 @@
 title: Enable BPF Kprobes Tracing
 id: 7692f583-bd30-4008-8615-75dab3f08a99
-status: experimental
+status: test
 description: Detects common command used to enable bpf kprobes tracing
 references:
     - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/

rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml

@@ -1,6 +1,6 @@
 title: Copy Passwd Or Shadow From TMP Path
 id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba
-status: experimental
+status: test
 description: Detects when the file "passwd" or "shadow" is copied from tmp path
 references:
     - https://blogs.blackberry.com/

rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml

@@ -1,6 +1,6 @@
 title: Ufw Force Stop Using Ufw-Init
 id: 84c9e83c-599a-458a-a0cb-0ecce44e807a
-status: experimental
+status: test
 description: Detects attempts to force stop the ufw using ufw-init
 references:
     - https://blogs.blackberry.com/

rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml

@@ -1,6 +1,6 @@
 title: Flush Iptables Ufw Chain
 id: 3be619f4-d9ec-4ea8-a173-18fdd01996ab
-status: experimental
+status: test
 description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
 references:
     - https://blogs.blackberry.com/

rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml

@@ -1,6 +1,6 @@
 title: Mount Execution With Hidepid Parameter
 id: ec52985a-d024-41e3-8ff6-14169039a0b3
-status: experimental
+status: test
 description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
 references:
     - https://blogs.blackberry.com/

rules/linux/process_creation/proc_creation_lnx_touch_susp.yml

@@ -1,6 +1,6 @@
 title: Touch Suspicious Service File
 id: 31545105-3444-4584-bebf-c466353230d2
-status: experimental
+status: test
 description: Detects usage of the "touch" process in service file.
 references:
     - https://blogs.blackberry.com/

rules/macos/process_creation/proc_creation_macos_clipboard_data_via_osascript.yml

@@ -3,7 +3,7 @@ id: 7794fa3c-edea-4cff-bec7-267dd4770fd7
 related:
     - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
       type: derived
-status: experimental
+status: test
 description: Detects possible collection of data from the clipboard via execution of the osascript binary
 references:
     - https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/

rules/macos/process_creation/proc_creation_macos_jxa_in_memory_execution.yml

@@ -3,7 +3,7 @@ id: f1408a58-0e94-4165-b80a-da9f96cf6fc3
 related:
     - id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55
       type: derived
-status: experimental
+status: test
 description: Detects possible malicious execution of JXA in-memory via OSAScript
 references:
     - https://redcanary.com/blog/applescript/

rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml

@@ -1,6 +1,6 @@
 title: Suspicious Microsoft Office Child Process - MacOS
 id: 69483748-1525-4a6c-95ca-90dc8d431b68
-status: experimental
+status: test
 description: Detects suspicious child processes spawning from microsoft office suite applications such as word or excel. This could indicates malicious macro execution
 references:
     - https://redcanary.com/blog/applescript/

rules/macos/process_creation/proc_creation_macos_osacompile_runonly_execution.yml

@@ -1,6 +1,6 @@
 title: OSACompile Run-Only Execution
 id: b9d9b652-d8ed-4697-89a2-a1186ee680ac
-status: experimental
+status: test
 description: Detects potential suspicious run-only executions compiled using OSACompile
 references:
     - https://redcanary.com/blog/applescript/

rules/network/cisco/bgp/cisco_bgp_md5_auth_failed.yml

@@ -1,6 +1,6 @@
 title: Cisco BGP Authentication Failures
 id: 56fa3cd6-f8d6-4520-a8c7-607292971886
-status: experimental
+status: test
 description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing
 references:
     - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf

rules/network/cisco/ldp/cisco_ldp_md5_auth_failed.yml

@@ -1,6 +1,6 @@
 title: Cisco LDP Authentication Failures
 id: 50e606bf-04ce-4ca7-9d54-3449494bbd4b
-status: experimental
+status: test
 description: Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels
 references:
     - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf

rules/network/huawei/bgp/huawei_bgp_auth_failed.yml

@@ -1,6 +1,6 @@
 title: Huawei BGP Authentication Failures
 id: a557ffe6-ac54-43d2-ae69-158027082350
-status: experimental
+status: test
 description: Detects BGP failures which may be indicative of brute force attacks to manipulate routing.
 references:
     - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf

rules/network/juniper/bgp/juniper_bgp_missing_md5.yml

@@ -1,6 +1,6 @@
 title: Juniper BGP Missing MD5
 id: a7c0ae48-8df8-42bf-91bd-2ea57e2f9d43
-status: experimental
+status: test
 description: Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.
 references:
     - https://www.blackhat.com/presentations/bh-usa-03/bh-us-03-convery-franz-v3.pdf

rules/web/webserver_generic/web_java_payload_in_access_logs.yml

@@ -1,6 +1,6 @@
 title: Java Payload Strings
 id: 583aa0a2-30b1-4d62-8bf3-ab73689efe6c
-status: experimental
+status: test
 description: Detects possible Java payloads in web access logs
 references:
     - https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/

rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml

@@ -1,6 +1,6 @@
 title: Restricted Software Access By SRP
 id: b4c8da4a-1c12-46b0-8a2b-0a8521d03442
-status: experimental
+status: test
 description: Detects restricted access to applications by the Software Restriction Policies (SRP) policy
 references:
     - https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies

rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml

@@ -1,6 +1,6 @@
 title: Deployment AppX Package Was Blocked By AppLocker
 id: 6ae53108-c3a0-4bee-8f45-c7591a2c337f
-status: experimental
+status: test
 description: Detects an appx package deployment that was blocked by AppLocker policy
 references:
     - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting

rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml

@@ -1,6 +1,6 @@
 title: Potential Malicious AppX Package Installation Attempts
 id: 09d3b48b-be17-47f5-bf4e-94e7e75d09ce
-status: experimental
+status: test
 description: Detects potential installation or installation attempts of known malicious appx packages
 references:
     - https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/

rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml

@@ -1,6 +1,6 @@
 title: Deployment Of The AppX Package Was Blocked By The Policy
 id: e021bbb5-407f-41f5-9dc9-1864c45a7a51
-status: experimental
+status: test
 description: Detects an appx package deployment that was blocked by the local computer policy
 references:
     - https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting

rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml

@@ -1,6 +1,6 @@
 title: Suspicious AppX Package Installation Attempt
 id: 898d5fc9-fbc3-43de-93ad-38e97237c344
-status: experimental
+status: test
 description: Detects an appx package installation with the error code "0x80073cff" which indicates that the package didn't meet the signing requirements and could be suspicious
 references:
     - Internal Research

rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml

@@ -1,6 +1,6 @@
 title: Suspicious AppX Package Locations
 id: 5cdeaf3d-1489-477c-95ab-c318559fc051
-status: experimental
+status: test
 description: Detects an appx package added the pipeline of the "to be processed" packages which is located in suspicious locations
 references:
     - Internal Research

rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml

@@ -1,6 +1,6 @@
 title: Uncommon AppX Package Locations
 id: c977cb50-3dff-4a9f-b873-9290f56132f1
-status: experimental
+status: test
 description: Detects an appx package added the pipeline of the "to be processed" packages which is located in uncommon locations
 references:
     - Internal Research

rules/windows/builtin/appxpackaging_om/win_appxpackaging_om_sups_appx_signature.yml

@@ -1,6 +1,6 @@
 title: Suspicious Digital Signature Of AppX Package
 id: b5aa7d60-c17e-4538-97de-09029d6cd76b
-status: experimental
+status: test
 description: Detects execution of AppX packages with known suspicious or malicious signature
 references:
     - Internal Research

rules/windows/builtin/dns_client/win_dns_client_anonymfiles_com.yml

@@ -3,7 +3,7 @@ id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
 related:
     - id: 065cceea-77ec-4030-9052-fc0affea7110
       type: similar
-status: experimental
+status: test
 description: Detects DNS queries for anonfiles.com, which is an anonymous file upload platform often used for malicious purposes
 references:
     - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte

rules/windows/builtin/firewall_as/win_firewall_as_failed_load_gpo.yml

@@ -1,6 +1,6 @@
 title: The Windows Defender Firewall Service Failed To Load Group Policy
 id: 7ec15688-fd24-4177-ba43-1a950537ee39
-status: experimental
+status: test
 description: Detects activity when The Windows Defender Firewall service failed to load Group Policy
 references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)

rules/windows/dns_query/dns_query_win_anonymfiles_com.yml

@@ -3,7 +3,7 @@ id: 065cceea-77ec-4030-9052-fc0affea7110
 related:
     - id: 29f171d7-aa47-42c7-9c7b-3c87938164d9
       type: similar
-status: experimental
+status: test
 description: Detects DNS queries for "anonfiles.com", which is an anonymous file upload platform often used for malicious purposes
 references:
     - https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-blackbyte

rules/windows/file/file_event/file_event_win_susp_startup_folder_persistence.yml

@@ -3,7 +3,7 @@ id: 28208707-fe31-437f-9a7f-4b1108b94d2e
 related:
     - id: 2aa0a6b4-a865-495b-ab51-c28249537b75
       type: similar
-status: experimental
+status: test
 description: Detects when a file with a suspicious extension is created in the startup folder
 references:
     - https://github.com/last-byte/PersistenceSniper

rules/windows/file/file_event/file_event_win_susp_vscode_powershell_profile.yml

@@ -3,7 +3,7 @@ id: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502
 related:
     - id: b5b78988-486d-4a80-b991-930eff3ff8bf
       type: similar
-status: experimental
+status: test
 description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
 references:
     - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2

rules/windows/image_load/image_load_side_load_non_existent_dlls.yml

@@ -3,7 +3,7 @@ id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
 related:
     - id: df6ecb8b-7822-4f4b-b412-08f524b4576c # FileEvent rule
       type: similar
-status: experimental
+status: test
 description: Detects DLL sideloading of system dlls that are not present on the system by default. Usually to achieve techniques such as UAC bypass and privilege escalation
 references:
     - https://decoded.avast.io/martinchlumecky/png-steganography/

rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 9e620995-f2d8-4630-8430-4afd89f77604
       type: similar
-status: experimental
+status: test
 description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
 references:
     - https://github.com/samratashok/ADModule