chore: promote older rules status from experimental to test

Author: nasbench

Diff for: rules-emerging-threats/2024/Exploits/CVE-2024-3400/file_event_paloalto_globalprotect_exploit_cve_2024_3400_command_inject_file_creation.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
 id: bcd95697-e3e7-4c6f-8584-8e3503e6929f
-status: experimental
+status: test
 description: |
     Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled.
     As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.

Diff for: rules-emerging-threats/2024/Exploits/CVE-2024-3400/paloalto_globalprotect_exploit_cve_2024_3400_command_injection.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
 id: f130a5f1-73ba-42f0-bf1e-b66a8361cb8f
-status: experimental
+status: test
 description: |
     Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect.
     This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.

Diff for: rules-emerging-threats/2024/TA/Forest-Blizzard/file_event_win_apt_forest_blizzard_constrained_js.yml

@@ -1,6 +1,6 @@
 title: Forest Blizzard APT - JavaScript Constrained File Creation
 id: ec7c4e9b-9bc9-47c7-a32f-b53b598da642
-status: experimental
+status: test
 description: |
     Detects the creation of JavaScript files inside of the DriverStore directory.
     Forest Blizzard used this to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.

Diff for: rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler.yml

@@ -1,6 +1,6 @@
 title: Forest Blizzard APT - Custom Protocol Handler Creation
 id: 5cdeb555-65de-4767-99fe-e26807465148
-status: experimental
+status: test
 description: |
     Detects the setting of a custom protocol handler with the name "rogue".
     Seen being created by Forest Blizzard APT as reported by MSFT.

Diff for: rules-emerging-threats/2024/TA/Forest-Blizzard/registry_set_apt_forest_blizzard_custom_protocol_handler_dll.yml

@@ -1,6 +1,6 @@
 title: Forest Blizzard APT - Custom Protocol Handler DLL Registry Set
 id: d807056b-0e00-4cec-b7f8-b8b7518e382b
-status: experimental
+status: test
 description: |
     Detects the setting of the DLL that handles the custom protocol handler.
     Seen being created by Forest Blizzard APT as reported by MSFT.

Diff for: rules-threat-hunting/linux/file/file_event/file_event_lnx_python_path_configuration_files.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 4f394635-13ef-4599-b677-3353e0f84f55 # MacOS
       type: similar
-status: experimental
+status: test
 description: |
     Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
     Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.

Diff for: rules-threat-hunting/macos/file/file_event/file_event_macos_python_path_configuration_files.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: fb96c26c-9f85-4ae7-af0d-ed1ed1f1f5ce # Linux
       type: similar
-status: experimental
+status: test
 description: |
     Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
     Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.

Diff for: rules-threat-hunting/windows/file/file_event/file_event_win_python_path_configuration_files.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 4f394635-13ef-4599-b677-3353e0f84f55 # MacOS
       type: similar
-status: experimental
+status: test
 description: |
     Detects creation of a Python path configuration file (.pth) in Python library folders, which can be maliciously abused for code execution and persistence.
     Modules referenced by these files are run at every Python startup (v3.5+), regardless of whether the module is imported by the calling script.

Diff for: rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_new_netfirewallrule_allow.yml

@@ -3,7 +3,7 @@ id: 51483085-0cba-46a8-837e-4416496d6971
 related:
     - id: 8d31dd2e-b582-48ca-826e-dcaa2c1ca264
       type: similar
-status: experimental
+status: test
 description: |
     Detects calls to the "New-NetFirewallRule" cmdlet from PowerShell in order to add a new firewall rule with an "Allow" action.
 references:

Diff for: rules/application/kubernetes/audit/kubernetes_audit_unauthorized_unauthenticated_actions.yml

@@ -1,6 +1,6 @@
 title: Kubernetes Unauthorized or Unauthenticated Access
 id: 0d933542-1f1f-420d-97d4-21b2c3c492d9
-status: experimental
+status: test
 description: |
     Detects when a request to the Kubernetes API is rejected due to lack of authorization or due to an expired authentication token being used.
     This may indicate an attacker attempting to leverage credentials they have obtained.

Diff for: rules/cloud/cisco/duo/cisco_duo_mfa_bypass_via_bypass_code.yml

@@ -1,6 +1,6 @@
 title: Cisco Duo Successful MFA Authentication Via Bypass Code
 id: 6f7e1c10-2dc9-4312-adb6-9574ff09a5c8
-status: experimental
+status: test
 description: |
     Detects when a successful MFA authentication occurs due to the use of a bypass code.
     A bypass code is a temporary passcode created by an administrator for a specific user to access a Duo-protected application. These are generally used as "backup codes," so that enrolled users who are having problems with their mobile devices (e.g., mobile service is disrupted, the device is lost or stolen, etc.) or who temporarily can't use their enrolled devices (on a plane without mobile data services) can still access their Duo-protected systems.

Diff for: rules/linux/process_creation/proc_creation_lnx_pnscan_binary_cli_pattern.yml

@@ -1,6 +1,6 @@
 title: Pnscan Binary Data Transmission Activity
 id: 97de11cd-4b67-4abf-9a8b-1020e670aa9e
-status: experimental
+status: test
 description: |
     Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network.
     This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT

Diff for: rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml

@@ -3,7 +3,7 @@ id: 3109530e-ab47-4cc6-a953-cac5ebcc93ae
 related:
     - id: 7eac0a16-5832-4e81-865f-0268a6d19e4b
       type: similar
-status: experimental
+status: test
 description: Detects the deletion of the "Zone.Identifier" ADS by an uncommon process. Attackers can leverage this in order to bypass security restrictions that make use of the ADS such as Microsoft Office apps.
 references:
     - https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/

Diff for: rules/windows/image_load/image_load_side_load_keyscrambler.yml

@@ -3,7 +3,7 @@ id: d2451be2-b582-4e15-8701-4196ac180260
 related:
     - id: ca5583e9-8f80-46ac-ab91-7f314d13b984
       type: similar
-status: experimental
+status: test
 description: |
     Detects potential DLL side loading of "KeyScramblerIE.dll" by "KeyScrambler.exe".
     Various threat actors and malware have been found side loading a masqueraded "KeyScramblerIE.dll" through "KeyScrambler.exe".

Diff for: rules/windows/network_connection/net_connection_win_dialer_initiated_connection.yml

@@ -1,6 +1,6 @@
 title: Outbound Network Connection Initiated By Microsoft Dialer
 id: 37e4024a-6c80-4d8f-b95d-2e7e94f3a8d1
-status: experimental
+status: test
 description: |
     Detects outbound network connection initiated by Microsoft Dialer.
     The Microsoft Dialer, also known as Phone Dialer, is a built-in utility application included in various versions of the Microsoft Windows operating system. Its primary function is to provide users with a graphical interface for managing phone calls via a modem or a phone line connected to the computer.

Diff for: rules/windows/network_connection/net_connection_win_regasm_network_activity.yml

@@ -1,6 +1,6 @@
 title: RegAsm.EXE Initiating Network Connection To Public IP
 id: 0531e43a-d77d-47c2-b89f-5fe50321c805
-status: experimental
+status: test
 description: Detects "RegAsm.exe" initiating a network connection to public IP adresses
 references:
     - https://app.any.run/tasks/ec207948-4916-47eb-a0f4-4c6abb2e7668/

Diff for: rules/windows/process_creation/proc_creation_win_pua_netscan.yml

@@ -1,6 +1,6 @@
 title: PUA - SoftPerfect Netscan Execution
 id: ca387a8e-1c84-4da3-9993-028b45342d30
-status: experimental
+status: test
 description: |
     Detects usage of SoftPerfect's "netscan.exe". An application for scanning networks.
     It is actively used in-the-wild by threat actors to inspect and understand the network architecture of a victim.