Merge PR #5177 from @nasbench - promote older rules status from experimental to test

chore: promote older rules status from `experimental` to `test` Co-authored-by: nasbench <nasbench@users.noreply.github.com>
2025-02-03 18:23:12 +01:00
parent 1d8c84387f
commit 2bfb0935a0
58 changed files with 58 additions and 58 deletions
@@ -1,6 +1,6 @@
 title: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
 id: eafb8bd5-7605-4bfe-a9ec-0442bc151f15
-status: experimental
+status: test
 description: |
    Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.
    It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.
@@ -1,6 +1,6 @@
 title: Potential KamiKakaBot Activity - Lure Document Execution
 id: 24474469-bd80-46cc-9e08-9fbe81bfaaca
-status: experimental
+status: test
 description: |
    Detects the execution of a Word document via the WinWord Start Menu shortcut.
    This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.
@@ -1,6 +1,6 @@
 title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
 id: fe9e8ba9-4419-41e6-a574-bd9f7b3af961
-status: experimental
+status: test
 description: |
    Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command.
    This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.
@@ -1,6 +1,6 @@
 title: Potential KamiKakaBot Activity - Winlogon Shell Persistence
 id: c9b86500-1ec2-4de6-9120-d744c8fb5caf
-status: experimental
+status: test
 description: |
    Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
 references:
@@ -1,6 +1,6 @@
 title: Dfsvc.EXE Network Connection To Non-Local IPs
 id: 3c21219b-49b5-4268-bce6-c914ed50f09c
-status: experimental
+status: test
 description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs
 references:
    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
@@ -1,6 +1,6 @@
 title: Network Connection Initiated By PowerShell Process
 id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
-status: experimental
+status: test
 description: |
    Detects a network connection that was initiated from a PowerShell process.
    Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs.
@@ -3,7 +3,7 @@ id: 277dc340-0540-42e7-8efb-5ff460045e07
 related:
    - id: 277dc340-0540-42e7-8efb-5ff460045e07
      type: obsolete
-status: experimental
+status: test
 description: |
    Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\".
    Attackers often use such directories for staging purposes.
@@ -1,6 +1,6 @@
 title: Deployment Deleted From Kubernetes Cluster
 id: 40967487-139b-4811-81d9-c9767a92aa5a
-status: experimental
+status: test
 description: |
    Detects the removal of a deployment from a Kubernetes cluster.
    This could indicate disruptive activity aiming to impact business operations.
@@ -3,7 +3,7 @@ id: 3132570d-cab2-4561-9ea6-1743644b2290
 related:
    - id: 225d8b09-e714-479c-a0e4-55e6f29adf35
      type: derived
-status: experimental
+status: test
 description: |
    Detects when events are deleted in Kubernetes.
    An adversary may delete Kubernetes events in an attempt to evade detection.
@@ -1,6 +1,6 @@
 title: Potential Remote Command Execution In Pod Container
 id: a1b0ca4e-7835-413e-8471-3ff2b8a66be6
-status: experimental
+status: test
 description: |
    Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
 references:
@@ -1,6 +1,6 @@
 title: Container With A hostPath Mount Created
 id: 402b955c-8fe0-4a8c-b635-622b4ac5f902
-status: experimental
+status: test
 description: |
    Detects creation of a container with a hostPath mount.
    A hostPath volume mounts a directory or a file from the node to the container.
@@ -1,6 +1,6 @@
 title: Creation Of Pod In System Namespace
 id: a80d927d-ac6e-443f-a867-e8d6e3897318
-status: experimental
+status: test
 description: |
    Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
    System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.
@@ -1,6 +1,6 @@
 title: Privileged Container Deployed
 id: c5cd1b20-36bb-488d-8c05-486be3d0cb97
-status: experimental
+status: test
 description: |
    Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks.
    A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.
@@ -1,6 +1,6 @@
 title: RBAC Permission Enumeration Attempt
 id: 84b777bd-c946-4d17-aa2e-c39f5a454325
-status: experimental
+status: test
 description: |
    Detects identities attempting to enumerate their Kubernetes RBAC permissions.
    In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.
@@ -3,7 +3,7 @@ id: eeb3e9e1-b685-44e4-9232-6bb701f925b5
 related:
    - id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
      type: derived
-status: experimental
+status: test
 description: Detects enumeration of Kubernetes secrets.
 references:
    - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/
@@ -3,7 +3,7 @@ id: e31bae15-83ed-473e-bf31-faf4f8a17d36
 related:
    - id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
      type: derived
-status: experimental
+status: test
 description: |
    Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
 references:
@@ -1,6 +1,6 @@
 title: Potential Sidecar Injection Into Running Deployment
 id: ad9012a6-e518-4432-9890-f3b82b8fc71f
-status: experimental
+status: test
 description: |
    Detects attempts to inject a sidecar container into a running deployment.
    A sidecar container is an additional container within a pod, that resides alongside the main container.
@@ -1,6 +1,6 @@
 title: OpenCanary - FTP Login Attempt
 id: 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5
-status: experimental
+status: test
 description: Detects instances where an FTP service on an OpenCanary node has had a login attempt.
 references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
@@ -1,6 +1,6 @@
 title: OpenCanary - GIT Clone Request
 id: 4fe17521-aef3-4e6a-9d6b-4a7c8de155a8
-status: experimental
+status: test
 description: Detects instances where a GIT service on an OpenCanary node has had Git Clone request.
 references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
@@ -1,6 +1,6 @@
 title: OpenCanary - HTTP GET Request
 id: af6c3078-84cd-4c68-8842-08b76bd81b13
-status: experimental
+status: test
 description: Detects instances where an HTTP service on an OpenCanary node has received a GET request.
 references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
@@ -1,6 +1,6 @@
 title: OpenCanary - HTTP POST Login Attempt
 id: af1ac430-df6b-4b38-b976-0b52f07a0252
-status: experimental
+status: test
 description: |
    Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
 references:
@@ -1,6 +1,6 @@
 title: OpenCanary - HTTPPROXY Login Attempt
 id: 5498fc09-adc6-4804-b9d9-5cca1f0b8760
-status: experimental
+status: test
 description: |
    Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
 references:
@@ -1,6 +1,6 @@
 title: OpenCanary - MSSQL Login Attempt Via SQLAuth
 id: 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd
-status: experimental
+status: test
 description: |
    Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
 references:
@@ -1,6 +1,6 @@
 title: OpenCanary - MSSQL Login Attempt Via Windows Authentication
 id: 6e78f90f-0043-4a01-ac41-f97681613a66
-status: experimental
+status: test
 description: |
    Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
 references:
@@ -1,6 +1,6 @@
 title: OpenCanary - MySQL Login Attempt
 id: e7d79a1b-25ed-4956-bd56-bd344fa8fd06
-status: experimental
+status: test
 description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
 references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
@@ -1,6 +1,6 @@
 title: OpenCanary - NTP Monlist Request
 id: 7cded4b3-f09e-405a-b96f-24248433ba44
-status: experimental
+status: test
 description: Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.
 references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
@@ -1,6 +1,6 @@
 title: OpenCanary - REDIS Action Command Attempt
 id: 547dfc53-ebf6-4afe-8d2e-793d9574975d
-status: experimental
+status: test
 description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
 references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
@@ -1,6 +1,6 @@
 title: OpenCanary - SIP Request
 id: e30de276-68ec-435c-ab99-ef3befec6c61
-status: experimental
+status: test
 description: Detects instances where an SIP service on an OpenCanary node has had a SIP request.
 references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
@@ -1,6 +1,6 @@
 title: OpenCanary - SMB File Open Request
 id: 22777c9e-873a-4b49-855f-6072ab861a52
-status: experimental
+status: test
 description: Detects instances where an SMB service on an OpenCanary node has had a file open request.
 references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
@@ -1,6 +1,6 @@
 title: OpenCanary - SNMP OID Request
 id: e9856028-fd4e-46e6-b3d1-10f7ceb95078
-status: experimental
+status: test
 description: Detects instances where an SNMP service on an OpenCanary node has had an OID request.
 references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
@@ -1,6 +1,6 @@
 title: OpenCanary - SSH Login Attempt
 id: ff7139bc-fdb1-4437-92f2-6afefe8884cb
-status: experimental
+status: test
 description: Detects instances where an SSH service on an OpenCanary node has had a login attempt.
 references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
@@ -1,6 +1,6 @@
 title: OpenCanary - SSH New Connection Attempt
 id: cd55f721-5623-4663-bd9b-5229cab5237d
-status: experimental
+status: test
 description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
 references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
@@ -1,6 +1,6 @@
 title: OpenCanary - Telnet Login Attempt
 id: 512cff7a-683a-43ad-afe0-dd398e872f36
-status: experimental
+status: test
 description: Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
 references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
@@ -1,6 +1,6 @@
 title: OpenCanary - TFTP Request
 id: b4e6b016-a2ac-4759-ad85-8000b300d61e
-status: experimental
+status: test
 description: Detects instances where a TFTP service on an OpenCanary node has had a request.
 references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
@@ -1,6 +1,6 @@
 title: OpenCanary - VNC Connection Attempt
 id: 9db5446c-b44a-4291-8b89-fcab5609c3b3
-status: experimental
+status: test
 description: Detects instances where a VNC service on an OpenCanary node has had a connection attempt.
 references:
    - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration
@@ -5,7 +5,7 @@ related:
      type: similar
    - id: f459ccb4-9805-41ea-b5b2-55e279e2424a
      type: similar
-status: experimental
+status: test
 description: |
    Detects the command line executed when TeamViewer starts a session started by a remote host.
    Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
@@ -5,7 +5,7 @@ related:
      type: similar
    - id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
      type: similar
-status: experimental
+status: test
 description: |
    Detects the command line executed when TeamViewer starts a session started by a remote host.
    Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
@@ -1,6 +1,6 @@
 title: EVTX Created In Uncommon Location
 id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb
-status: experimental
+status: test
 description: |
    Detects the creation of new files with the ".evtx" extension in non-common or non-standard location.
    This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.
@@ -3,7 +3,7 @@ id: edf3485d-dac4-4d50-90e4-b0e5813f7e60
 related:
    - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
      type: derived
-status: experimental
+status: test
 description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
 references:
    - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md
@@ -5,7 +5,7 @@ related:
      type: derived
    - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
      type: similar
-status: experimental
+status: test
 description: |
    Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location.
    This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.
@@ -5,7 +5,7 @@ related:
      type: derived
    - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
      type: obsolete
-status: experimental
+status: test
 description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
 references:
    - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16
@@ -5,7 +5,7 @@ related:
      type: similar
    - id: f459ccb4-9805-41ea-b5b2-55e279e2424a
      type: similar
-status: experimental
+status: test
 description: |
    Detects the command line executed when TeamViewer starts a session started by a remote host.
    Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.
@@ -1,6 +1,6 @@
 title: Renamed NirCmd.EXE Execution
 id: 264982dc-dbad-4dce-b707-1e0d3e0f73d9
-status: experimental
+status: test
 description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
 references:
    - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/
@@ -1,6 +1,6 @@
 title: Rundll32 Execution With Uncommon DLL Extension
 id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf
-status: experimental
+status: test
 description: Detects the execution of rundll32 with a command line that doesn't contain a common extension
 references:
    - https://twitter.com/mrd0x/status/1481630810495139841?s=12
@@ -1,6 +1,6 @@
 title: Suspicious Command Patterns In Scheduled Task Creation
 id: f2c64357-b1d2-41b7-849f-34d2682c0fad
-status: experimental
+status: test
 description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
 references:
    - https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/
@@ -1,6 +1,6 @@
 title: Kernel Memory Dump Via LiveKD
 id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2
-status: experimental
+status: test
 description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
 references:
    - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd
@@ -1,6 +1,6 @@
 title: Loaded Module Enumeration Via Tasklist.EXE
 id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f
-status: experimental
+status: test
 description: |
    Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
    This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.
@@ -1,6 +1,6 @@
 title: Registry Persistence via Service in Safe Mode
 id: 1547e27c-3974-43e2-a7d7-7f484fb928ec
-status: experimental
+status: test
 description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network
@@ -1,6 +1,6 @@
 title: Add Port Monitor Persistence in Registry
 id: 944e8941-f6f6-4ee8-ac05-1c224e923c0e
-status: experimental
+status: test
 description: |
    Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation.
    A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.
@@ -1,6 +1,6 @@
 title: Sysmon Driver Altitude Change
 id: 4916a35e-bfc4-47d0-8e25-a003d7067061
-status: experimental
+status: test
 description: |
    Detects changes in Sysmon driver altitude value.
    If the Sysmon driver is configured to load at an altitude of another registered service, it will fail to load at boot.
@@ -1,6 +1,6 @@
 title: Change Winevt Channel Access Permission Via Registry
 id: 7d9263bd-dc47-4a58-bc92-5474abab390c
-status: experimental
+status: test
 description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel.
 references:
    - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/
@@ -1,6 +1,6 @@
 title: Windows Defender Service Disabled - Registry
 id: e1aa95de-610a-427d-b9e7-9b46cfafbe6a
-status: experimental
+status: test
 description: Detects when an attacker or tool disables the  Windows Defender service (WinDefend) via the registry
 references:
    - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
@@ -1,6 +1,6 @@
 title: Disable Windows Event Logging Via Registry
 id: 2f78da12-f7c7-430b-8b19-a28f269b77a3
-status: experimental
+status: test
 description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel
 references:
    - https://twitter.com/WhichbufferArda/status/1543900539280293889
@@ -1,6 +1,6 @@
 title: Displaying Hidden Files Feature Disabled
 id: 5a5152f1-463f-436b-b2f5-8eceb3964b42
-status: experimental
+status: test
 description: |
    Detects modifications to the "Hidden" and "ShowSuperHidden" explorer registry values in order to disable showing of hidden files and system files.
    This technique is abused by several malware families to hide their files from normal users.
@@ -1,6 +1,6 @@
 title: MaxMpxCt Registry Value Changed
 id: 0e6a9e62-627e-496c-aef5-bfa39da29b5e
-status: experimental
+status: test
 description: |
    Detects changes to the "MaxMpxCt" registry value.
    MaxMpxCt specifies the maximum outstanding network requests for the server per client, which is used when negotiating a Server Message Block (SMB) connection with a client. Note if the value is set beyond 125 older Windows 9x clients will fail to negotiate.
@@ -1,6 +1,6 @@
 title: Register New IFiltre For Persistence
 id: b23818c7-e575-4d13-8012-332075ec0a2b
-status: experimental
+status: test
 description: |
    Detects when an attacker registers a new IFilter for an extension. Microsoft Windows Search uses filters to extract the content of items for inclusion in a full-text index.
    You can extend Windows Search to index new or proprietary file types by writing filters to extract the content, and property handlers to extract the properties of files.
@@ -1,6 +1,6 @@
 title: ServiceDll Hijack
 id: 612e47e9-8a59-43a6-b404-f48683f45bd6
-status: experimental
+status: test
 description: |
    Detects changes to the "ServiceDLL" value related to a service in the registry.
    This is often used as a method of persistence.
@@ -1,6 +1,6 @@
 title: New TimeProviders Registered With Uncommon DLL Name
 id: e88a6ddc-74f7-463b-9b26-f69fc0d2ce85
-status: experimental
+status: test
 description: |
    Detects processes setting a new DLL in DllName in under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProvider.
    Adversaries may abuse time providers to execute DLLs when the system boots.