Merge PR #5397 from @nasbench - Promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
2025-05-20 22:58:46 +02:00
parent 83b9ff50bc
commit 350fec2f51
29 changed files with 29 additions and 29 deletions
@@ -1,6 +1,6 @@
 title: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
 id: 6c7defa9-69f8-4c34-b815-41fce3931754
-status: experimental
+status: test
 description: |
    Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
 references:
@@ -1,6 +1,6 @@
 title: Potential Exploitation of CVE-2024-3094 - Suspicious SSH Child Process
 id: 9aa27839-e8ba-4d7a-ac1a-746c22c3d1e5
-status: experimental
+status: test
 description: |
    Detects potentially suspicious child process of SSH process (sshd) with a specific execution user. This could be a sign of potential exploitation of CVE-2024-3094.
 references:
@@ -1,6 +1,6 @@
 title: Potential CSharp Streamer RAT Loading .NET Executable Image
 id: 6f6afac3-8e7a-4e4b-9588-2608ffe08f82
-status: experimental
+status: test
 description: |
    Detects potential CSharp Streamer RAT loading .NET executable image by using the default file name and path associated with the tool.
 references:
@@ -1,6 +1,6 @@
 title: Potential Kapeka Decrypted Backdoor Indicator
 id: 20228d05-dd68-435d-8b4e-e7e64938880c
-status: experimental
+status: test
 description: |
    Detects the presence of a file that is decrypted backdoor binary dropped by the Kapeka Dropper, which disguises itself as a hidden file under a folder named "Microsoft" within "CSIDL_COMMON_APPDATA" or "CSIDL_LOCAL_APPDATA", depending on the process privileges.
    The file, typically 5-6 characters long with a random combination of consonants and vowels followed by a ".wll" extension to pose as a legitimate file to evade detection.
@@ -1,6 +1,6 @@
 title: Kapeka Backdoor Loaded Via Rundll32.EXE
 id: a7e6b1f9-8d2c-4f1e-9a7d-63e4c8a2bf4c
-status: experimental
+status: test
 description: |
    Detects the Kapeka Backdoor binary being loaded by rundll32.exe.
    The Kapeka loader drops a backdoor, which is a DLL with the '.wll' extension masquerading as a Microsoft Word Add-In.
@@ -1,6 +1,6 @@
 title: Kapeka Backdoor Persistence Activity
 id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
-status: experimental
+status: test
 description: |
    Detects Kapeka backdoor persistence activity.
    Depending on the process privileges, the Kapeka dropper then sets persistence for the backdoor either as a scheduled task (if admin or SYSTEM) or autorun registry (if not).
@@ -1,6 +1,6 @@
 title: Kapeka Backdoor Execution Via RunDLL32.EXE
 id: e98f741c-6a5b-4c83-bc2a-1f4e58d07b12
-status: experimental
+status: test
 description: |
    Detects Kapeka backdoor process execution pattern, where the dropper launch the backdoor binary by calling rundll32 and passing the backdoor's first export ordinal (#1) with a "-d" argument.
 references:
@@ -3,7 +3,7 @@ id: c0c67b21-eb8a-4c84-a395-40473ec3b482
 related:
    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
      type: similar
-status: experimental
+status: test
 description: Detects the setting of a new value in the Autorun key that is used by the Kapeka backdoor for persistence.
 references:
    - https://labs.withsecure.com/publications/kapeka
@@ -1,6 +1,6 @@
 title: Kapeka Backdoor Configuration Persistence
 id: cbaa3ef3-07a9-4c8e-82d1-9e40578da7fd
-status: experimental
+status: test
 description: |
    Detects registry set activity of a value called "Seed" stored in the "\Cryptography\Providers\" registry key.
    The Kapeka backdoor leverages this location to register a new SIP provider for backdoor configuration persistence.
@@ -3,7 +3,7 @@ id: 6c130acd-0adb-4545-bcc4-2e85d0883c9a
 related:
    - id: 64a871dd-83f6-4e5f-80fc-5a7ca3a8a819
      type: similar
-status: experimental
+status: test
 description: Detects Kapeka backdoor scheduled task creation based on attributes such as paths, commands line flags, etc.
 references:
    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698
@@ -1,6 +1,6 @@
 title: Windows LAPS Credential Dump From Entra ID
 id: a4b25073-8947-489c-a8dd-93b41c23f26d
-status: experimental
+status: test
 description: Detects when an account dumps the LAPS password from Entra ID.
 references:
    - https://twitter.com/NathanMcNulty/status/1785051227568632263
@@ -1,6 +1,6 @@
 title: Okta New Admin Console Behaviours
 id: a0b38b70-3cb5-484b-a4eb-c4d8e7bcc0a9
-status: experimental
+status: test
 description: Detects when Okta identifies new activity in the Admin Console.
 references:
    - https://developer.okta.com/docs/reference/api/system-log/
@@ -1,6 +1,6 @@
 title: Communication To LocaltoNet Tunneling Service Initiated - Linux
 id: c4568f5d-131f-4e78-83d4-45b2da0ec4f1
-status: experimental
+status: test
 description: |
    Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
    LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
@@ -3,7 +3,7 @@ id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
 related:
    - id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
      type: similar
-status: experimental
+status: test
 description: Detects failed logon attempts from clients to MSSQL server.
 references:
    - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
@@ -3,7 +3,7 @@ id: ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d
 related:
    - id: 218d2855-2bba-4f61-9c85-81d0ea63ac71
      type: similar
-status: experimental
+status: test
 description: Detects failed logon attempts from clients with external network IP to an MSSQL server. This can be a sign of a bruteforce attack.
 references:
    - https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/
@@ -3,7 +3,7 @@ id: e043f529-8514-4205-8ab0-7f7d2927b400
 related:
    - id: 5c80b618-0dbb-46e6-acbb-03d90bcb6d83
      type: derived
-status: experimental
+status: test
 description: |
    Detects a DNS query by a non browser process on the system to "azurewebsites.net". The latter was often used by threat actors as a malware hosting and exfiltration site.
 references:
@@ -3,7 +3,7 @@ id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a
 related:
    - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489
      type: obsolete
-status: experimental
+status: test
 description: Detects file creation events with filename patterns used by CrackMapExec.
 references:
    - https://github.com/byt3bl33d3r/CrackMapExec/
@@ -1,6 +1,6 @@
 title: HackTool - RemoteKrbRelay SMB Relay Secrets Dump Module Indicators
 id: 3ab79e90-9fab-4cdf-a7b2-6522bc742adb
-status: experimental
+status: test
 description: Detects the creation of file with specific names used by RemoteKrbRelay SMB Relay attack module.
 references:
    - https://github.com/CICADA8-Research/RemoteKrbRelay/blob/19ec76ba7aa50c2722b23359bc4541c0a9b2611c/Exploit/RemoteKrbRelay/Relay/Attacks/RemoteRegistry.cs#L31-L40
@@ -1,6 +1,6 @@
 title: DPAPI Backup Keys And Certificate Export Activity IOC
 id: 7892ec59-c5bb-496d-8968-e5d210ca3ac4
-status: experimental
+status: test
 description: |
    Detects file names with specific patterns seen generated and used by tools such as Mimikatz and DSInternals related to exported or stolen DPAPI backup keys and certificates.
 references:
@@ -1,6 +1,6 @@
 title: Communication To LocaltoNet Tunneling Service Initiated
 id: 3ab65069-d82a-4d44-a759-466661a082d1
-status: experimental
+status: test
 description: |
    Detects an executable initiating a network connection to "LocaltoNet" tunneling sub-domains.
    LocaltoNet is a reverse proxy that enables localhost services to be exposed to the Internet.
@@ -1,6 +1,6 @@
 title: Office Application Initiated Network Connection Over Uncommon Ports
 id: 3b5ba899-9842-4bc2-acc2-12308498bf42
-status: experimental
+status: test
 description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports.
 references:
    - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit
@@ -3,7 +3,7 @@ id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
 related:
    - id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
      type: similar
-status: experimental
+status: test
 description: |
    Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
@@ -3,7 +3,7 @@ id: ccb5742c-c248-4982-8c5c-5571b9275ad3
 related:
    - id: fe63010f-8823-4864-a96b-a7b4a0f7b929
      type: derived
-status: experimental
+status: test
 description: |
    Detects the execution of a potential recon command where the results are piped to "findstr". This is meant to trigger on inline calls of "cmd.exe" via the "/c" or "/k" for example.
    Attackers often time use this technique to extract specific information they require in their reconnaissance phase.
@@ -1,6 +1,6 @@
 title: HackTool - RemoteKrbRelay Execution
 id: a7664b14-75fb-4a50-a223-cb9bc0afbacf
-status: experimental
+status: test
 description: |
    Detects the use of RemoteKrbRelay, a Kerberos relaying tool via CommandLine flags and PE metadata.
 references:
@@ -1,6 +1,6 @@
 title: HackTool - SharpDPAPI Execution
 id: c7d33b50-f690-4b51-8cfb-0fb912a31e57
-status: experimental
+status: test
 description: |
    Detects the execution of the SharpDPAPI tool based on CommandLine flags and PE metadata.
    SharpDPAPI is a C# port of some DPAPI functionality from the Mimikatz project.
@@ -3,7 +3,7 @@ id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
 related:
    - id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
      type: similar
-status: experimental
+status: test
 description: |
    Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
@@ -1,6 +1,6 @@
 title: Hypervisor Enforced Code Integrity Disabled
 id: 8b7273a4-ba5d-4d8a-b04f-11f2900d043a
-status: experimental
+status: test
 description: |
    Detects changes to the HypervisorEnforcedCodeIntegrity registry key and the "Enabled" value being set to 0 in order to disable the Hypervisor Enforced Code Integrity feature. This allows an attacker to load unsigned and untrusted code to be run in the kernel
 references:
@@ -1,6 +1,6 @@
 title: Hypervisor Enforced Paging Translation Disabled
 id: 7f2954d2-99c2-4d42-a065-ca36740f187b
-status: experimental
+status: test
 description: |
    Detects changes to the "DisableHypervisorEnforcedPagingTranslation" registry value. Where the it is set to "1" in order to disable the Hypervisor Enforced Paging Translation feature.
 references:
@@ -1,6 +1,6 @@
 title: Periodic Backup For System Registry Hives Enabled
 id: 973ef012-8f1a-4c40-93b4-7e659a5cd17f
-status: experimental
+status: test
 description: |
    Detects the enabling of the "EnablePeriodicBackup" registry value. Once enabled, The OS will backup System registry hives on restarts to the "C:\Windows\System32\config\RegBack" folder. Windows creates a "RegIdleBackup" task to manage subsequent backups.
    Registry backup was a default behavior on Windows and was disabled as of "Windows 10, version 1803".