Merge PR #5506 from @nasbench -promote older rules status from experimental to test

Co-authored-by: nasbench <nasbench@users.noreply.github.com>
2025-07-01 10:34:38 +02:00
parent 2610f580d8
commit 4316ad64da
39 changed files with 39 additions and 39 deletions
@@ -1,6 +1,6 @@
 title: Emotet Loader Execution Via .LNK File
 id: 1f32d820-1d5c-43fe-8fe2-feef0c952eb7
-status: experimental
+status: test
 description: |
    Detects the Emotet Epoch4 loader as reported by @malware_traffic back in 2022.
    The ".lnk" file was delivered via phishing campaign.
@@ -1,6 +1,6 @@
 title: FakeUpdates/SocGholish Activity
 id: 97805087-93ab-4203-b5cb-287cda6aecaa
-status: experimental
+status: test
 description: Detects initial execution of FakeUpdates/SocGholish malware via wscript that later executes commands via cmd or powershell.
 references:
    - https://twitter.com/th3_protoCOL/status/1536788652889497600
@@ -1,6 +1,6 @@
 title: Task Scheduler DLL Loaded By Application Located In Potentially Suspicious Location
 id: 3b92a1d0-8d4b-4d28-a1b4-1e29d49a6a3e
-status: experimental
+status: test
 description: |
    Detects the loading of the "taskschd.dll" module from a process that located in a potentially suspicious or uncommon directory.
    The loading of this DLL might indicate that the application have the capability to create a scheduled task via the "Schedule.Service" COM object.
@@ -1,6 +1,6 @@
 title: Potential File Override/Append Via SET Command
 id: 65e4c134-ee52-4099-9e35-5e17a4b45c62
-status: experimental
+status: test
 description: |
    Detects the use of the "SET" internal command of Cmd.EXE with the /p flag followed directly by an "=" sign.
    Attackers used this technique along with an append redirection operator ">>" in order to update the content of a file indirectly.
@@ -1,6 +1,6 @@
 title: Manual Execution of Script Inside of a Compressed File
 id: 95724fc1-a258-4674-97db-a30351981c5a
-status: experimental
+status: test
 description: |
    This is a threat-hunting query to collect information related to the interactive execution of a script from inside a compressed file (zip/rar). Windows will automatically run the script using scripting interpreters such as wscript and cscript binaries.

@@ -1,6 +1,6 @@
 title: User Risk and MFA Registration Policy Updated
 id: d4c7758e-9417-4f2e-9109-6125d66dabef
-status: experimental
+status: test
 description: |
    Detects changes and updates to the user risk and MFA registration policy.
    Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.
@@ -1,6 +1,6 @@
 title: Multi Factor Authentication Disabled For User Account
 id: b18454c8-0be3-41f7-86bc-9c614611b839
-status: experimental
+status: test
 description: |
    Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled".
    Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
@@ -1,6 +1,6 @@
 title: Suspicious Invocation of Shell via AWK - Linux
 id: 8c1a5675-cb85-452f-a298-b01b22a51856
-status: experimental
+status: test
 description: |
    Detects the execution of "awk" or it's sibling commands, to invoke a shell using the system() function.
    This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
@@ -1,6 +1,6 @@
 title: Capsh Shell Invocation - Linux
 id: db1ac3be-f606-4e3a-89e0-9607cbe6b98a
-status: experimental
+status: test
 description: |
    Detects the use of the "capsh" utility to invoke a shell.
 references:
@@ -1,6 +1,6 @@
 title: Shell Invocation via Env Command - Linux
 id: bed978f8-7f3a-432b-82c5-9286a9b3031a
-status: experimental
+status: test
 description: |
    Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
 references:
@@ -1,6 +1,6 @@
 title: Shell Execution via Find - Linux
 id: 6adfbf8f-52be-4444-9bac-81b539624146
-status: experimental
+status: test
 description: |
    Detects the use of the find command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or exploitation attempt.
 references:
@@ -1,6 +1,6 @@
 title: Shell Execution via Flock - Linux
 id: 4b09c71e-4269-4111-9cdd-107d8867f0cc
-status: experimental
+status: test
 description: |
    Detects the use of the "flock" command to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
 references:
@@ -1,6 +1,6 @@
 title: Shell Execution GCC  - Linux
 id: 9b5de532-a757-4d70-946c-1f3e44f48b4d
-status: experimental
+status: test
 description: |
    Detects the use of the "gcc" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
 references:
@@ -1,6 +1,6 @@
 title: Shell Execution via Git - Linux
 id: 47b3bbd4-1bf7-48cc-84ab-995362aaa75a
-status: experimental
+status: test
 description: |
    Detects the use of the "git" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
 references:
@@ -1,6 +1,6 @@
 title: Shell Execution via Nice - Linux
 id: 093d68c7-762a-42f4-9f46-95e79142571a
-status: experimental
+status: test
 description: |
    Detects the use of the "nice" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
 references:
@@ -1,6 +1,6 @@
 title: Inline Python Execution - Spawn Shell Via OS System Library
 id: 2d2f44ff-4611-4778-a8fc-323a0e9850cc
-status: experimental
+status: test
 description: |
    Detects execution of inline Python code via the "-c" in order to call the "system" function from the "os" library, and spawn a shell.
 references:
@@ -1,6 +1,6 @@
 title: Shell Invocation Via Ssh - Linux
 id: 8737b7f6-8df3-4bb7-b1da-06019b99b687
-status: experimental
+status: test
 description: |
    Detects the use of the "ssh" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
 references:
@@ -1,6 +1,6 @@
 title: Hidden Flag Set On File/Directory Via Chflags - MacOS
 id: 3b2c1059-ae5f-40b6-b5d4-6106d3ac20fe
-status: experimental
+status: test
 description: |
    Detects the execution of the "chflags" utility with the "hidden" flag, in order to hide files on MacOS.
    When a file or directory has this hidden flag set, it becomes invisible to the default file listing commands and in graphical file browsers.
@@ -1,6 +1,6 @@
 title: Disk Image Creation Via Hdiutil - MacOS
 id: 1cf98dc2-fcb0-47c9-8aea-654c9284d1ae
-status: experimental
+status: test
 description: Detects the execution of the hdiutil utility in order to create a disk image.
 references:
    - https://www.loobins.io/binaries/hdiutil/
@@ -1,6 +1,6 @@
 title: Disk Image Mounting Via Hdiutil - MacOS
 id: bf241472-f014-4f01-a869-96f99330ca8c
-status: experimental
+status: test
 description: Detects the execution of the hdiutil utility in order to mount disk images.
 references:
    - https://www.loobins.io/binaries/hdiutil/
@@ -1,6 +1,6 @@
 title: Suspicious Remote AppX Package Locations
 id: 8b48ad89-10d8-4382-a546-50588c410f0d
-status: experimental
+status: test
 description: |
    Detects an appx package added to the pipeline of the "to be processed" packages which was downloaded from a suspicious domain.
 references:
@@ -1,6 +1,6 @@
 title: DNS Query To Put.io - DNS Client
 id: 8b69fd42-9dad-4674-abef-7fdef43ef92a
-status: experimental
+status: test
 description: Detects DNS queries for subdomains related to "Put.io" sharing website.
 references:
    - https://darkatlas.io/blog/medusa-ransomware-group-opsec-failure
@@ -1,6 +1,6 @@
 title: Uncommon New Firewall Rule Added In Windows Firewall Exception List
 id: cde0a575-7d3d-4a49-9817-b8004a7bf105
-status: experimental
+status: test
 description: Detects when a rule has been added to the Windows Firewall exception list
 references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
@@ -1,6 +1,6 @@
 title: Group Policy Abuse for Privilege Addition
 id: 1c480e10-7ee1-46d4-8ed2-85f9789e3ce4
-status: experimental
+status: test
 description: |
    Detects the first occurrence of a modification to Group Policy Object Attributes to add privileges to user accounts or use them to add users as local admins.
 author: Elastic, Josh Nickels, Marius Rothenbücher
@@ -1,6 +1,6 @@
 title: Process Deletion of Its Own Executable
 id: f01d1f70-cd41-42ec-9c0b-26dd9c22bf29
-status: experimental
+status: test
 description: |
    Detects the deletion of a process's executable by itself. This is usually not possible without workarounds and may be used by malware to hide its traces.
 references:
@@ -1,6 +1,6 @@
 title: Data Export From MSSQL Table Via BCP.EXE
 id: c615d676-f655-46b9-b913-78729021e5d7
-status: experimental
+status: test
 description: |
    Detects the execution of the BCP utility in order to export data from the database.
    Attackers were seen saving their malware to a database column or table and then later extracting it via "bcp.exe" into a file.
@@ -1,6 +1,6 @@
 title: Suspicious Download From File-Sharing Website Via Bitsadmin
 id: 8518ed3d-f7c9-4601-a26c-f361a4256a0c
-status: experimental
+status: test
 description: Detects usage of bitsadmin downloading a file from a suspicious domain
 references:
    - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin
@@ -5,7 +5,7 @@ related:
      type: similar
    - id: 13e6fe51-d478-4c7e-b0f2-6da9b400a829 # Generic download
      type: similar
-status: experimental
+status: test
 description: Detects the execution of certutil with certain flags that allow the utility to download files from file-sharing websites.
 references:
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
@@ -1,6 +1,6 @@
 title: File Explorer Folder Opened Using Explorer Folder Shortcut Via Shell
 id: c3d76afc-93df-461e-8e67-9b2bad3f2ac4
-status: experimental
+status: test
 description: |
    Detects the initial execution of "cmd.exe" which spawns "explorer.exe" with the appropriate command line arguments for opening the "My Computer" folder.
 author: '@Kostastsale'
@@ -1,6 +1,6 @@
 title: HackTool - SharpWSUS/WSUSpendu Execution
 id: b0ce780f-10bd-496d-9067-066d23dc3aa5
-status: experimental
+status: test
 description: |
    Detects the execution of SharpWSUS or WSUSpendu, utilities that allow for lateral movement through WSUS.
    Windows Server Update Services (WSUS) is a critical component of Windows systems and is frequently configured in a way that allows an attacker to circumvent internal networking limitations.
@@ -3,7 +3,7 @@ id: 9ec9fb1b-e059-4489-9642-f270c207923d
 related:
    - id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd
      type: similar
-status: experimental
+status: test
 description: |
    Detects changes to the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" where the value is set to "0" in order to hide user account from being listed on the logon screen.
 references:
@@ -1,6 +1,6 @@
 title: Potentially Suspicious Rundll32.EXE Execution of UDL File
 id: 0ea52357-cd59-4340-9981-c46c7e900428
-status: experimental
+status: test
 description: |
    Detects the execution of rundll32.exe with the oledb32.dll library to open a UDL file.
    Threat actors can abuse this technique as a phishing vector to capture authentication credentials or other sensitive data.
@@ -3,7 +3,7 @@ id: a7c3d773-caef-227e-a7e7-c2f13c622329
 related:
    - id: f5647edc-a7bf-4737-ab50-ef8c60dc3add
      type: obsolete
-status: experimental
+status: test
 description: |
    Detects attackers using tooling with bad opsec defaults.
    E.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run.
@@ -3,7 +3,7 @@ id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
 related:
    - id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
      type: derived
-status: experimental
+status: test
 description: |
    Detects execution of different log query utilities and commands to search and dump the content of specific event logs or look for specific event IDs.
    This technique is used by threat actors in order to extract sensitive information from events logs such as usernames, IP addresses, hostnames, etc.
@@ -5,7 +5,7 @@ related:
      type: similar
    - id: e4a6b256-3e47-40fc-89d2-7a477edd6915
      type: similar
-status: experimental
+status: test
 description: |
    Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
    Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
@@ -3,7 +3,7 @@ id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e
 related:
    - id: 5394fcc7-aeb2-43b5-9a09-cac9fc5edcd5
      type: similar
-status: experimental
+status: test
 description: Detects suspicious Windows Error Reporting manager (wermgr.exe) child process
 references:
    - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
@@ -1,6 +1,6 @@
 title: Wusa.EXE Executed By Parent Process Located In Suspicious Location
 id: ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99
-status: experimental
+status: test
 description: |
    Detects execution of the "wusa.exe" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.
    Attackers could instantiate an instance of "wusa.exe" in order to bypass User Account Control (UAC). They can duplicate the access token from "wusa.exe" to gain elevated privileges.
@@ -1,6 +1,6 @@
 title: Antivirus Filter Driver Disallowed On Dev Drive - Registry
 id: 31e124fb-5dc4-42a0-83b3-44a69c77b271
-status: experimental
+status: test
 description: |
    Detects activity that indicates a user disabling the ability for Antivirus mini filter to inspect a "Dev Drive".
 references:
@@ -3,7 +3,7 @@ id: 555155a2-03bf-4fe7-af74-d176b3fdbe16
 related:
    - id: 44cee399-f6b1-45cc-a87c-ea14c6064d6b
      type: similar
-status: experimental
+status: test
 description: |
    Detects changes to the "HVCIDisallowedImages" registry value to potentially add a driver to the list, in order to prevent it from loading.
 references: