Merge PR #4611 from @nasbench - Promote Older Rules Status From experimental To test

chore: promote older rules status from experimental to test Co-authored-by: nasbench <nasbench@users.noreply.github.com>
2023-12-01 12:50:36 +01:00
parent 64c79b90ec
commit ae960f0881
134 changed files with 134 additions and 134 deletions
@@ -5,7 +5,7 @@ related:
      type: similar
    - id: 74176142-4684-4d8a-8b0a-713257e7df8e
      type: similar
-status: experimental
+status: test
 description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
 references:
    - https://github.com/samratashok/ADModule
@@ -1,6 +1,6 @@
 title: Potential Data Exfiltration Via Audio File
 id: e4f93c99-396f-47c8-bb0f-201b1fa69034
-status: experimental
+status: test
 description: Detects potential exfiltration attempt via audio file using PowerShell
 references:
    - https://github.com/gtworek/PSBits/blob/e97cbbb173b31cbc4d37244d3412de0a114dacfb/NoDLP/bin2wav.ps1
@@ -3,7 +3,7 @@ id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab
 related:
    - id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3
      type: similar
-status: experimental
+status: test
 description: Detects powershell scripts that import modules from suspicious directories
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
@@ -3,7 +3,7 @@ id: 975b2262-9a49-439d-92a6-0709cccdf0b2
 related:
    - id: 37651c2a-42cd-4a69-ae0d-22a4349aa04a
      type: similar
-status: experimental
+status: test
 description: Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
 references:
    - https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package
@@ -1,6 +1,6 @@
 title: Malicious Nishang PowerShell Commandlets
 id: f772cee9-b7c2-4cb2-8f07-49870adc02e0
-status: experimental
+status: test
 description: Detects Commandlet names and arguments from the Nishang exploitation framework
 references:
    - https://github.com/samratashok/nishang
@@ -3,7 +3,7 @@ id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
 related:
    - id: 96cd126d-f970-49c4-848a-da3a09f55c55
      type: derived
-status: experimental
+status: test
 description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
 references:
    - Internal Research
@@ -3,7 +3,7 @@ id: 96cd126d-f970-49c4-848a-da3a09f55c55
 related:
    - id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
      type: derived
-status: experimental
+status: test
 description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
 references:
    - https://github.com/1337Rin/Swag-PSO
@@ -3,7 +3,7 @@ id: 1139d2e2-84b1-4226-b445-354492eba8ba
 related:
    - id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
      type: derived
-status: experimental
+status: test
 description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs
 references:
    - https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
@@ -1,6 +1,6 @@
 title: Powershell XML Execute Command
 id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b
-status: experimental
+status: test
 description: |
    Adversaries may abuse PowerShell commands and scripts for execution.
    PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)