Merge PR #5101 from @nasbench - Promote older rules status from experimental to test

chore: promote older rules status from experimental to test Co-authored-by: nasbench <nasbench@users.noreply.github.com>
2024-12-01 13:40:32 +01:00
parent 4075c508d1
commit 9367349016
37 changed files with 37 additions and 37 deletions
@@ -3,7 +3,7 @@ id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
 related:
    - id: e4556676-fc5c-4e95-8c39-5ef27791541f
      type: similar
-status: experimental
+status: test
 description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
 references:
    - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/
@@ -1,6 +1,6 @@
 title: Potential Pikabot C2 Activity
 id: cae6cee6-0244-44d2-84ed-e65f548eb7dc
-status: experimental
+status: test
 description: |
    Detects the execution of rundll32 that leads to an external network connection.
    The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.
@@ -1,6 +1,6 @@
 title: Potential Pikabot Discovery Activity
 id: 698d4431-514f-4c82-af4d-cf573872a9f5
-status: experimental
+status: test
 description: |
    Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.
    The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).
@@ -1,6 +1,6 @@
 title: Potential Pikabot Hollowing Activity
 id: d8937fe7-42d5-4b4d-8178-e089c908f63f
-status: experimental
+status: test
 description: |
    Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
    The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries
@@ -1,6 +1,6 @@
 title: Pikabot Fake DLL Extension Execution Via Rundll32.EXE
 id: 1bf0ba65-9a39-42a2-9271-31d31bf2f0bf
-status: experimental
+status: test
 description: |
    Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
 references:
@@ -1,6 +1,6 @@
 title: Peach Sandstorm APT Process Activity Indicators
 id: 2e7bbd54-2f26-476e-b4a1-ba5f1a012614
-status: experimental
+status: test
 description: Detects process creation activity related to Peach Sandstorm APT
 references:
    - https://twitter.com/MsftSecIntel/status/1737895710169628824
@@ -1,6 +1,6 @@
 title: Potential Peach Sandstorm APT C2 Communication Activity
 id: b8225208-81d0-4715-a822-12bcdd583e0f
-status: experimental
+status: test
 description: Detects potential C2 communication activity related to Peach Sandstorm APT
 references:
    - https://twitter.com/MsftSecIntel/status/1737895710169628824
@@ -1,6 +1,6 @@
 title: Firewall Rule Modified In The Windows Firewall Exception List
 id: 5570c4d9-8fdd-4622-965b-403a5a101aa0
-status: experimental
+status: test
 description: Detects when a rule has been modified in the Windows firewall exception list
 references:
    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
@@ -1,6 +1,6 @@
 title: Dfsvc.EXE Initiated Network Connection Over Uncommon Port
 id: 4c5fba4a-9ef6-4f16-823d-606246054741
-status: experimental
+status: test
 description: Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications.
 references:
    - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5
@@ -1,6 +1,6 @@
 title: New Self Extracting Package Created Via IExpress.EXE
 id: c2b478fc-09bf-40b2-8768-ab3ec8d61c9a
-status: experimental
+status: test
 description: |
    Detects the "iexpress.exe" utility creating self-extracting packages.
    Attackers where seen leveraging "iexpress" to compile packages on the fly via ".sed" files.
@@ -3,7 +3,7 @@ id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e
 related:
    - id: 12fbff88-16b5-4b42-9754-cd001a789fb3
      type: derived
-status: experimental
+status: test
 description: |
    Detects a CodePage modification using the "mode.com" utility.
    This behavior has been used by threat actors behind Dharma ransomware.
@@ -3,7 +3,7 @@ id: 9cd55b6c-430a-4fa9-96f4-7cadf5229e9f
 related:
    - id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf
      type: derived
-status: experimental
+status: test
 description: |
    Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.
 references:
@@ -3,7 +3,7 @@ id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
 related:
    - id: 9d5a1274-922a-49d0-87f3-8c653483b909
      type: derived
-status: experimental
+status: test
 description: |
    Detects the use of the WMI command-line (WMIC) utility to identify and display various system information,
    including OS, CPU, GPU, disk drive names, memory capacity, display resolution, baseboard, BIOS,
@@ -1,6 +1,6 @@
 title: GCP Access Policy Deleted
 id: 32438676-1dba-4ac7-bf69-b86cba995e05
-status: experimental
+status: test
 description: |
    Detects when an access policy that is applied to a GCP cloud resource is deleted.
    An adversary would be able to remove access policies to gain access to a GCP cloud resource.
@@ -1,6 +1,6 @@
 title: GCP Break-glass Container Workload Deployed
 id: 76737c19-66ee-4c07-b65a-a03301d1573d
-status: experimental
+status: test
 description: |
    Detects the deployment of workloads that are deployed by using the break-glass flag to override Binary Authorization controls.
 references:
@@ -1,6 +1,6 @@
 title: Google Workspace Application Access Level Modified
 id: 22f2fb54-5312-435d-852f-7c74f81684ca
-status: experimental
+status: test
 description: |
    Detects when an access level is changed for a Google workspace application.
    An access level is part of BeyondCorp Enterprise which is Google Workspace's way of enforcing Zero Trust model.
@@ -1,6 +1,6 @@
 title: All Rules Have Been Deleted From The Windows Firewall Configuration
 id: 79609c82-a488-426e-abcf-9f341a39365d
-status: experimental
+status: test
 description: Detects when a all the rules have been deleted from the Windows Defender Firewall configuration
 references:
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10)
@@ -1,6 +1,6 @@
 title: Windows Filtering Platform Blocked Connection From EDR Agent Binary
 id: bacf58c6-e199-4040-a94f-95dea0f1e45a
-status: experimental
+status: test
 description: |
    Detects a Windows Filtering Platform (WFP) blocked connection event involving common Endpoint Detection and Response (EDR) agents.
    Adversaries may use WFP filters to prevent Endpoint Detection and Response (EDR) agents from reporting security events.
@@ -1,6 +1,6 @@
 title: HackTool - EDRSilencer Execution - Filter Added
 id: 98054878-5eab-434c-85d4-72d4e5a3361b
-status: experimental
+status: test
 description: |
    Detects execution of EDRSilencer, a tool that abuses the Windows Filtering Platform (WFP) to block the outbound traffic of running EDR agents based on specific hardcoded filter names.
 references:
@@ -1,6 +1,6 @@
 title: Remote Thread Creation In Mstsc.Exe From Suspicious Location
 id: c0aac16a-b1e7-4330-bab0-3c27bb4987c7
-status: experimental
+status: test
 description: |
    Detects remote thread creation in the "mstsc.exe" process by a process located in a potentially suspicious location.
    This technique is often used by attackers in order to hook some APIs used by DLLs loaded by "mstsc.exe" during RDP authentications in order to steal credentials.
@@ -3,7 +3,7 @@ id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
 related:
    - id: ab90dab8-c7da-4010-9193-563528cfa347
      type: derived
-status: experimental
+status: test
 description: |
    Detects the creation of Self Extraction Directive files (.sed) in a potentially suspicious location.
    These files are used by the "iexpress.exe" utility in order to create self extracting packages.
@@ -3,7 +3,7 @@ id: ab90dab8-c7da-4010-9193-563528cfa347
 related:
    - id: 760e75d8-c3b5-409b-a9bf-6130b4c4603f
      type: derived
-status: experimental
+status: test
 description: |
    Detects the creation of a binary file with the ".sed" extension. The ".sed" extension stand for Self Extraction Directive files.
    These files are used by the "iexpress.exe" utility in order to create self extracting packages.
@@ -5,7 +5,7 @@ related:
      type: obsolete
    - id: fe6e002f-f244-4278-9263-20e4b593827f
      type: obsolete
-status: experimental
+status: test
 description: |
    Detects loading of essential DLLs used by PowerShell by non-PowerShell process.
    Detects behavior similar to meterpreter's "load powershell" extension.
@@ -1,6 +1,6 @@
 title: System Control Panel Item Loaded From Uncommon Location
 id: 2b140a5c-dc02-4bb8-b6b1-8bdb45714cde
-status: experimental
+status: test
 description: Detects image load events of system control panel items (.cpl) from uncommon or non-system locations which might be the result of sideloading.
 references:
    - https://www.hexacorn.com/blog/2024/01/06/1-little-known-secret-of-fondue-exe/
@@ -1,6 +1,6 @@
 title: Uncommon Connection to Active Directory Web Services
 id: b3ad3c0f-c949-47a1-a30e-b0491ccae876
-status: experimental
+status: test
 description: |
    Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
 references:
@@ -1,6 +1,6 @@
 title: Remote CHM File Download/Execution Via HH.EXE
 id: f57c58b3-ee69-4ef5-9041-455bf39aaa89
-status: experimental
+status: test
 description: Detects the usage of "hh.exe" to execute/download remotely hosted ".chm" files.
 references:
    - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html
@@ -1,6 +1,6 @@
 title: HackTool - SharpMove Tool Execution
 id: 055fb54c-a8f4-4aee-bd44-f74cf30a0d9d
-status: experimental
+status: test
 description: |
    Detects the execution of SharpMove, a .NET utility performing multiple tasks such as "Task Creation", "SCM" query, VBScript execution using WMI via its PE metadata and command line options.
 references:
@@ -1,6 +1,6 @@
 title: HackTool - SOAPHound Execution
 id: e92a4287-e072-4a40-9739-370c106bb750
-status: experimental
+status: test
 description: |
    Detects the execution of SOAPHound, a .NET tool for collecting Active Directory data, using specific command-line arguments that may indicate an attempt to extract sensitive AD information.
 references:
@@ -3,7 +3,7 @@ id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
 related:
    - id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
      type: similar
-status: experimental
+status: test
 description: Detects suspicious processes spawned from a Java host process which could indicate a sign of exploitation (e.g. log4j)
 references:
    - https://web.archive.org/web/20231230220738/https://www.lunasec.io/docs/blog/log4j-zero-day/
@@ -3,7 +3,7 @@ id: 12fbff88-16b5-4b42-9754-cd001a789fb3
 related:
    - id: d48c5ffa-3b02-4c0f-9a9e-3c275650dd0e
      type: derived
-status: experimental
+status: test
 description: |
    Detects a CodePage modification using the "mode.com" utility to Russian language.
    This behavior has been used by threat actors behind Dharma ransomware.
@@ -5,7 +5,7 @@ related:
      type: derived
    - id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
      type: similar
-status: experimental
+status: test
 description: Detects Commandlet names from well-known PowerShell exploitation frameworks
 references:
    - https://adsecurity.org/?p=2921
@@ -3,7 +3,7 @@ id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c
 related:
    - id: b37998de-a70b-4f33-b219-ec36bf433dc0
      type: derived
-status: experimental
+status: test
 description: Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level.
 references:
    - https://github.com/vletoux/pingcastle
@@ -3,7 +3,7 @@ id: b37998de-a70b-4f33-b219-ec36bf433dc0
 related:
    - id: b1cb4ab6-ac31-43f4-adf1-d9d08957419c
      type: derived
-status: experimental
+status: test
 description: |
    Detects the execution of PingCastle, a tool designed to quickly assess the Active Directory security level via a script located in a potentially suspicious or uncommon location.
 references:
@@ -1,6 +1,6 @@
 title: Renamed PingCastle Binary Execution
 id: 2433a154-bb3d-42e4-86c3-a26bdac91c45
-status: experimental
+status: test
 description: Detects the execution of a renamed "PingCastle" binary based on the PE metadata fields.
 references:
    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
@@ -3,7 +3,7 @@ id: c79da740-5030-45ec-a2e0-479e824a562c
 related:
    - id: d85ecdd7-b855-4e6e-af59-d9c78b5b861e
      type: similar
-status: experimental
+status: test
 description: |
    An adversary might use WMI to discover information about the system, such as the volume name, size,
    free space, and other disk information. This can be done using the `wmic` command-line utility and has been
@@ -3,7 +3,7 @@ id: cea72823-df4d-4567-950c-0b579eaf0846
 related:
    - id: 1e33157c-53b1-41ad-bbcc-780b80b58288
      type: similar
-status: experimental
+status: test
 description: Detects wscript/cscript executions of scripts located in user directories
 references:
    - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
@@ -1,6 +1,6 @@
 title: Potential Persistence Via MyComputer Registry Keys
 id: 8fbe98a8-8f9d-44f8-aa71-8c572e29ef06
-status: experimental
+status: test
 description: Detects modification to the "Default" value of the "MyComputer" key and subkeys to point to a custom binary that will be launched whenever the associated action is executed (see reference section for example)
 references:
    - https://www.hexacorn.com/blog/2017/01/18/beyond-good-ol-run-key-part-55/