Merge PR #4533 from @nasbench - Promote experimental rules

chore: promote older rules status from `experimental` to `test` --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2023-11-02 10:48:45 +01:00
parent ba3ff861fc
commit a6e7cce606
98 changed files with 98 additions and 98 deletions
@@ -3,7 +3,7 @@ id: 91e69562-2426-42ce-a647-711b8152ced6
 related:
    - id: c86500e9-a645-4680-98d7-f882c70c1ea3
      type: similar
-status: experimental
+status: test
 description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
 references:
    - https://o365blog.com/aadinternals/
@@ -1,6 +1,6 @@
 title: Potential In-Memory Execution Using Reflection.Assembly
 id: ddcd88cb-7f62-4ce5-86f9-1704190feb0a
-status: experimental
+status: test
 description: Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory
 references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50
@@ -3,7 +3,7 @@ id: 3c7d1587-3b13-439f-9941-7d14313dbdfe
 related:
    - id: 02b64f1b-3f33-4e67-aede-ef3b0a5a8fcf
      type: similar
-status: experimental
+status: test
 description: Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
 references:
    - https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0
@@ -3,7 +3,7 @@ id: 55c925c1-7195-426b-a136-a9396800e29b
 related:
    - id: c740d4cf-a1e9-41de-bb16-8a46a4f57918
      type: similar
-status: experimental
+status: test
 description: |
    Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool.
    Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
@@ -3,7 +3,7 @@ id: df69cb1d-b891-4cd9-90c7-d617d90100ce
 related:
    - id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f
      type: similar
-status: experimental
+status: test
 description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.
 references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43
@@ -1,6 +1,6 @@
 title: Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
 id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
-status: experimental
+status: test
 description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
 references:
    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
@@ -1,6 +1,6 @@
 title: PowerShell Remote Session Creation
 id: a0edd39f-a0c6-4c17-8141-261f958e8d8f
-status: experimental
+status: test
 description: |
    Adversaries may abuse PowerShell commands and scripts for execution.
    PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
@@ -7,7 +7,7 @@ related:
      type: similar
    - id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
      type: similar
-status: experimental
+status: test
 description: Detects use of Set-ExecutionPolicy to set insecure policies
 references:
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1
@@ -1,6 +1,6 @@
 title: Potential Persistence Via Security Descriptors - ScriptBlock
 id: 2f77047c-e6e9-4c11-b088-a3de399524cd
-status: experimental
+status: test
 description: Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
 references:
    - https://github.com/HarmJ0y/DAMP
@@ -7,7 +7,7 @@ related:
      type: similar
    - id: 536e2947-3729-478c-9903-745aaffe60d2
      type: similar
-status: experimental
+status: test
 description: Detects suspicious PowerShell invocation command parameters
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
 date: 2017/03/05
@@ -1,6 +1,6 @@
 title: Change User Agents with WebRequest
 id: d4488827-73af-4f8d-9244-7b7662ef046e
-status: experimental
+status: test
 description: |
    Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
    Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
@@ -1,6 +1,6 @@
 title: Potential Keylogger Activity
 id: 965e2db9-eddb-4cf6-a986-7a967df651e4
-status: experimental
+status: test
 description: Detects PowerShell scripts that contains reference to keystroke capturing functions
 references:
    - https://twitter.com/ScumBots/status/1610626724257046529
@@ -3,7 +3,7 @@ id: 488b44e7-3781-4a71-888d-c95abfacf44d
 related:
    - id: 12f6b752-042d-483e-bf9c-915a6d06ad75
      type: similar
-status: experimental
+status: test
 description: Detects when a user disables the Windows Firewall via a Profile to help evade defense.
 references:
    - https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps
@@ -3,7 +3,7 @@ id: 504d63cb-0dba-4d02-8531-e72981aace2c
 related:
    - id: 114de787-4eb2-48cc-abdb-c0b449f93ea4
      type: similar
-status: experimental
+status: test
 description: Detect use of X509Enrollment
 references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42