Change status for old rules

rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml

@@ -1,31 +1,32 @@
 title: Malware Shellcode in Verclsid Target Process
 id: b7967e22-3d7e-409b-9ed5-cdae3f9243a1
-status: experimental
+status: test
 description: Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro
-references:
-    - https://twitter.com/JohnLaTwC/status/837743453039534080
-tags:
-    - attack.defense_evasion
-    - attack.privilege_escalation
-    - attack.t1055
 author: John Lambert (tech), Florian Roth (rule)
+references:
+  - https://twitter.com/JohnLaTwC/status/837743453039534080
 date: 2017/03/04
+modified: 2021/11/27
 logsource:
-    category: process_access
-    product: windows
-    definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
+  category: process_access
+  product: windows
+  definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
 detection:
-    selection:
-        TargetImage|endswith: '\verclsid.exe'
-        GrantedAccess: '0x1FFFFF'
-    combination1:
-        CallTrace|contains|all: 
-            - '|UNKNOWN('
-            - 'VBE7.DLL'
-    combination2:
-        SourceImage|contains: '\Microsoft Office\'
-        CallTrace|contains: '|UNKNOWN'
-    condition: selection and 1 of combination*
+  selection:
+    TargetImage|endswith: '\verclsid.exe'
+    GrantedAccess: '0x1FFFFF'
+  combination1:
+    CallTrace|contains|all:
+      - '|UNKNOWN('
+      - 'VBE7.DLL'
+  combination2:
+    SourceImage|contains: '\Microsoft Office\'
+    CallTrace|contains: '|UNKNOWN'
+  condition: selection and 1 of combination*
 falsepositives:
-    - unknown
+  - unknown
 level: high
+tags:
+  - attack.defense_evasion
+  - attack.privilege_escalation
+  - attack.t1055