chore: promote older rules status from experimental to test

nasbench · web-flow · commit c068021b1658 · 2025-04-01T00:27:19.000Z
diff --git a/rules-emerging-threats/2024/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_save_temp.yml b/rules-emerging-threats/2024/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_save_temp.yml
@@ -1,6 +1,6 @@
 title: DarkGate - Drop DarkGate Loader In C:\Temp Directory
 id: df49c691-8026-48dd-94d3-4ba6a79102a8
-status: experimental
+status: test
 description: Detects attackers attempting to save, decrypt and execute the DarkGate Loader in C:\temp folder.
 references:
     - https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-smartscreen-flaw-to-drop-darkgate-malware/
diff --git a/rules-placeholder/windows/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml b/rules-placeholder/windows/network_connection/net_connection_win_susp_rdp_from_domain_controller.yml
@@ -1,6 +1,6 @@
 title: New RDP Connection Initiated From Domain Controller
 id: fda34293-718e-4b36-b018-38caab0d1209
-status: experimental
+status: test
 description: Detects an RDP connection originating from a domain controller.
 references:
     - Internal Research
diff --git a/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_new_netfirewallrule_allow.yml
@@ -3,7 +3,7 @@ id: 8d31dd2e-b582-48ca-826e-dcaa2c1ca264
 related:
     - id: 51483085-0cba-46a8-837e-4416496d6971
       type: similar
-status: experimental
+status: test
 description: |
     Detects when a powershell script contains calls to the "New-NetFirewallRule" cmdlet in order to add a new firewall rule with an "Allow" action.
 references:
diff --git a/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml b/rules/linux/network_connection/net_connection_lnx_susp_malware_callback_port.yml
@@ -3,7 +3,7 @@ id: dbfc7c98-04ab-4ab7-aa94-c74d22aa7376
 related:
     - id: 4b89abaa-99fe-4232-afdd-8f9aa4d20382
       type: derived
-status: experimental
+status: test
 description: |
     Detects programs that connect to known malware callback ports based on threat intelligence reports.
 references:
diff --git a/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml b/rules/macos/process_creation/proc_creation_macos_launchctl_execution.yml
@@ -1,6 +1,6 @@
 title: Launch Agent/Daemon Execution Via Launchctl
 id: ae9d710f-dcd1-4f75-a0a5-93a73b5dda0e
-status: experimental
+status: test
 description: Detects the execution of programs as Launch Agents or Launch Daemons using launchctl on macOS.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.001/T1569.001.md
diff --git a/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml b/rules/macos/process_creation/proc_creation_macos_nscurl_usage.yml
@@ -1,6 +1,6 @@
 title: File Download Via Nscurl - MacOS
 id: 6d8a7cf1-8085-423b-b87d-7e880faabbdf
-status: experimental
+status: test
 description: Detects the execution of the nscurl utility in order to download files.
 references:
     - https://www.loobins.io/binaries/nscurl/
diff --git a/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml b/rules/macos/process_creation/proc_creation_macos_sysctl_discovery.yml
@@ -1,6 +1,6 @@
 title: System Information Discovery Via Sysctl - MacOS
 id: 6ff08e55-ea53-4f27-94a1-eff92e6d9d5c
-status: experimental
+status: test
 description: |
     Detects the execution of "sysctl" with specific arguments that have been used by threat actors and malware. It provides system hardware information.
     This process is primarily used to detect and avoid virtualization and analysis environments.
diff --git a/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml b/rules/macos/process_creation/proc_creation_macos_tmutil_delete_backup.yml
@@ -1,6 +1,6 @@
 title: Time Machine Backup Deletion Attempt Via Tmutil - MacOS
 id: 452df256-da78-427a-866f-49fa04417d74
-status: experimental
+status: test
 description: |
     Detects deletion attempts of MacOS Time Machine backups via the native backup utility "tmutil".
     An adversary may perform this action before launching a ransonware attack to prevent the victim from restoring their files.
diff --git a/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml b/rules/macos/process_creation/proc_creation_macos_tmutil_disable_backup.yml
@@ -1,6 +1,6 @@
 title: Time Machine Backup Disabled Via Tmutil - MacOS
 id: 2c95fa8a-8b8d-4787-afce-7117ceb8e3da
-status: experimental
+status: test
 description: |
     Detects disabling of Time Machine (Apple's automated backup utility software) via the native macOS backup utility "tmutil".
     An attacker can use this to prevent backups from occurring.
diff --git a/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml b/rules/macos/process_creation/proc_creation_macos_tmutil_exclude_file_from_backup.yml
@@ -1,6 +1,6 @@
 title: New File Exclusion Added To Time Machine Via Tmutil - MacOS
 id: 9acf45ed-3a26-4062-bf08-56857613eb52
-status: experimental
+status: test
 description: |
     Detects the addition of a new file or path exclusion to MacOS Time Machine via the "tmutil" utility.
     An adversary could exclude a path from Time Machine backups to prevent certain files from being backed up.
diff --git a/rules/web/proxy_generic/proxy_webdav_external_execution.yml b/rules/web/proxy_generic/proxy_webdav_external_execution.yml
@@ -3,7 +3,7 @@ id: 1ae64f96-72b6-48b3-ad3d-e71dff6c6398
 related:
     - id: 4c55738d-72d8-490e-a2db-7969654e375f
       type: similar
-status: experimental
+status: test
 description: |
     Detects executables launched from external WebDAV shares using the WebDAV Explorer integration, commonly seen in initial access campaigns.
 references:
diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_susp_folder.yml
@@ -3,7 +3,7 @@ id: 9e2575e7-2cb9-4da1-adc8-ed94221dca5e
 related:
     - id: cde0a575-7d3d-4a49-9817-b8004a7bf105
       type: derived
-status: experimental
+status: test
 description: Detects the addition of a new rule to the Windows Firewall exception list for an application located in a potentially suspicious location.
 references:
     - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml b/rules/windows/builtin/firewall_as/win_firewall_as_add_rule_wmiprvse.yml
@@ -1,6 +1,6 @@
 title: New Firewall Rule Added In Windows Firewall Exception List Via WmiPrvSE.EXE
 id: eca81e8d-09e1-4d04-8614-c91f44fd0519
-status: experimental
+status: test
 description: |
     Detects the addition of a new "Allow" firewall rule by the WMI process (WmiPrvSE.EXE).
     This can occur if an attacker leverages PowerShell cmdlets such as "New-NetFirewallRule", or directly uses WMI CIM classes such as "MSFT_NetFirewallRule".
diff --git a/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml b/rules/windows/file/file_event/file_event_win_mysqld_uncommon_file_creation.yml
@@ -1,6 +1,6 @@
 title: Uncommon File Creation By Mysql Daemon Process
 id: c61daa90-3c1e-4f18-af62-8f288b5c9aaf
-status: experimental
+status: test
 description: |
     Detects the creation of files with scripting or executable extensions by Mysql daemon.
     Which could be an indicator of "User Defined Functions" abuse to download malware.
diff --git a/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml b/rules/windows/network_connection/net_connection_win_domain_cloudflared_communication.yml
@@ -3,7 +3,7 @@ id: 7cd1dcdc-6edf-4896-86dc-d1f19ad64903
 related:
     - id: a1d9eec5-33b2-4177-8d24-27fe754d0812
       type: derived
-status: experimental
+status: test
 description: |
     Detects network connections to Cloudflared tunnels domains initiated by a process on the system.
     Attackers can abuse that feature to establish a reverse shell or persistence on a machine.
diff --git a/rules/windows/network_connection/net_connection_win_domain_portmap.yml b/rules/windows/network_connection/net_connection_win_domain_portmap.yml
@@ -1,6 +1,6 @@
 title: Network Communication Initiated To Portmap.IO Domain
 id: 07837ab9-60e1-481f-a74d-c31fb496a94c
-status: experimental
+status: test
 description: Detects an executable accessing the portmap.io domain, which could be a sign of forbidden C2 traffic or data exfiltration by malicious actors
 references:
     - https://portmap.io/
diff --git a/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml b/rules/windows/powershell/powershell_script/posh_ps_packet_capture.yml
@@ -1,6 +1,6 @@
 title: Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
 id: da34e323-1e65-42db-83be-a6725ac2caa3
-status: experimental
+status: test
 description: |
     Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session.
     Adversaries may attempt to capture network to gather information over the course of an operation.
diff --git a/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml b/rules/windows/process_access/proc_access_win_susp_all_access_uncommon_target.yml
@@ -1,6 +1,6 @@
 title: Uncommon Process Access Rights For Target Image
 id: a24e5861-c6ca-4fde-a93c-ba9256feddf0
-status: experimental
+status: test
 description: |
     Detects process access request to uncommon target images with a "PROCESS_ALL_ACCESS" access mask.
 references:
diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml
@@ -1,6 +1,6 @@
 title: LSASS Process Reconnaissance Via Findstr.EXE
 id: fe63010f-8823-4864-a96b-a7b4a0f7b929
-status: experimental
+status: test
 description: Detects findstring commands that include the keyword lsass, which indicates recon actviity for the LSASS process PID
 references:
     - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1
diff --git a/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml
@@ -1,6 +1,6 @@
 title: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
 id: b2b048b0-7857-4380-b0fb-d3f0ab820b71
-status: experimental
+status: test
 description: |
     Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.
     This behavior has been observed in-the-wild by different threat actors.
diff --git a/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_keyscrambler_susp_child_process.yml
@@ -3,7 +3,7 @@ id: ca5583e9-8f80-46ac-ab91-7f314d13b984
 related:
     - id: d2451be2-b582-4e15-8701-4196ac180260
       type: similar
-status: experimental
+status: test
 description: Detects potentially suspicious child processes of KeyScrambler.exe
 references:
     - https://twitter.com/DTCERT/status/1712785421845790799
diff --git a/rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml b/rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml
@@ -1,6 +1,6 @@
 title: Potentially Suspicious Usage Of Qemu
 id: 5fc297ae-25b6-488a-8f25-cc12ac29b744
-status: experimental
+status: test
 description: |
     Detects potentially suspicious execution of the Qemu utility in a Windows environment.
     Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
diff --git a/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml b/rules/windows/process_creation/proc_creation_win_reg_enable_windows_recall.yml
@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 75180c5f-4ea1-461a-a4f6-6e4700c065d4
       type: similar
-status: experimental
+status: test
 description: |
     Detects the enabling of the Windows Recall feature via registry manipulation.
     Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" value, or setting it to 0.
diff --git a/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml b/rules/windows/process_creation/proc_creation_win_susp_browser_launch_from_document_reader_process.yml
@@ -1,6 +1,6 @@
 title: Potential Suspicious Browser Launch From Document Reader Process
 id: 1193d960-2369-499f-a158-7b50a31df682
-status: experimental
+status: test
 description: |
     Detects when a browser process or browser tab is launched from an application that handles document files such as Adobe, Microsoft Office, etc. And connects to a web application over http(s), this could indicate a possible phishing attempt.
 references:
diff --git a/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml b/rules/windows/process_creation/proc_creation_win_wbadmin_dump_sensitive_files.yml
@@ -1,6 +1,6 @@
 title: Sensitive File Dump Via Wbadmin.EXE
 id: 8b93a509-1cb8-42e1-97aa-ee24224cdc15
-status: experimental
+status: test
 description: |
     Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
     Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
diff --git a/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml b/rules/windows/process_creation/proc_creation_win_wbadmin_restore_file.yml
@@ -3,7 +3,7 @@ id: 6fe4aa1e-0531-4510-8be2-782154b73b48
 related:
     - id: 84972c80-251c-4c3a-9079-4f00aad93938
       type: derived
-status: experimental
+status: test
 description: |
     Detects the recovery of files from backups via "wbadmin.exe".
     Attackers can restore sensitive files such as NTDS.DIT or Registry Hives from backups in order to potentially extract credentials.
diff --git a/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml b/rules/windows/process_creation/proc_creation_win_wbadmin_restore_sensitive_files.yml
@@ -3,7 +3,7 @@ id: 84972c80-251c-4c3a-9079-4f00aad93938
 related:
     - id: 6fe4aa1e-0531-4510-8be2-782154b73b48
       type: derived
-status: experimental
+status: test
 description: |
     Detects the dump of highly sensitive files such as "NTDS.DIT" and "SECURITY" hive.
     Attackers can leverage the "wbadmin" utility in order to dump sensitive files that might contain credential or sensitive information.
diff --git a/rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml b/rules/windows/registry/registry_delete/registry_delete_enable_windows_recall.yml
@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 817f252c-5143-4dae-b418-48c3e9f63728
       type: similar
-status: experimental
+status: test
 description: |
     Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by deleting the existing "DisableAIDataAnalysis" registry value.
     Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
diff --git a/rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml b/rules/windows/registry/registry_set/registry_set_enable_windows_recall.yml
@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 817f252c-5143-4dae-b418-48c3e9f63728
       type: similar
-status: experimental
+status: test
 description: |
     Detects the enabling of the Windows Recall feature via registry manipulation. Windows Recall can be enabled by setting the value of "DisableAIDataAnalysis" to "0".
     Adversaries may enable Windows Recall as part of post-exploitation discovery and collection activities.
diff --git a/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml b/rules/windows/registry/registry_set/registry_set_uac_disable_notification.yml
@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 48437c39-9e5f-47fb-af95-3d663c3f2919
       type: similar
-status: experimental
+status: test
 description: |
     Detects when an attacker tries to disable User Account Control (UAC) notification by tampering with the "UACDisableNotify" value.
     UAC is a critical security feature in Windows that prevents unauthorized changes to the operating system. It prompts the user for permission or an administrator password before allowing actions that could affect the system's operation or change settings that affect other users.
diff --git a/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml b/rules/windows/registry/registry_set/registry_set_uac_disable_secure_desktop_prompt.yml
@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 48437c39-9e5f-47fb-af95-3d663c3f2919
       type: similar
-status: experimental
+status: test
 description: |
     Detects when an attacker tries to change User Account Control (UAC) elevation request destination via the "PromptOnSecureDesktop" value.
     The "PromptOnSecureDesktop" setting specifically determines whether UAC prompts are displayed on the secure desktop. The secure desktop is a separate desktop environment that's isolated from other processes running on the system. It's designed to prevent malicious software from intercepting or tampering with UAC prompts.
