Revert "Change status of old rules"

2023-01-26 19:37:18 +01:00
parent bc0e90f495
commit cb67871bd2
77 changed files with 98 additions and 154 deletions
@@ -1,6 +1,6 @@
 title: Remote Schedule Task Lateral Movement via ATSvc
 id: 0fcd1c79-4eeb-4746-aba9-1b458f7a79cb
-status: test
+status: experimental
 description: Detects remote RPC calls to create or execute a scheduled task via ATSvc
 references:
    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
@@ -9,7 +9,7 @@ references:
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.lateral_movement
    - attack.t1053
@@ -1,6 +1,6 @@
 title: Remote Schedule Task Recon via AtScv
 id: f177f2bc-5f3e-4453-b599-57eefce9a59c
-status: test
+status: experimental
 description: Detects remote RPC calls to read information about scheduled tasks via AtScv
 references:
    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
@@ -10,7 +10,7 @@ references:
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.discovery
 logsource:
@@ -1,6 +1,6 @@
 title: Possible DCSync Attack
 id: 56fda488-113e-4ce9-8076-afc2457922c3
-status: test
+status: experimental
 description: Detects remote RPC calls to MS-DRSR from non DC hosts, which could indicate DCSync / DCShadow attacks.
 references:
    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-drsr/f977faaa-673e-4f66-b9bf-48c640241d47?redirectedfrom=MSDN
@@ -9,7 +9,7 @@ references:
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.t1033
    - attack.discovery
@@ -1,6 +1,6 @@
 title: Remote Encrypting File System Abuse
 id: 5f92fff9-82e2-48eb-8fc1-8b133556a551
-status: test
+status: experimental
 description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
 references:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942
@@ -9,7 +9,7 @@ references:
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.lateral_movement
 logsource:
@@ -1,13 +1,13 @@
 title: Remote Event Log Recon
 id: 2053961f-44c7-4a64-b62d-f6e72800af0d
-status: test
+status: experimental
 description: Detects remote RPC calls to get event log information via EVEN or EVEN6
 references:
    - https://github.com/zeronetworks/rpcfirewall
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.discovery
 logsource:
@@ -1,6 +1,6 @@
 title: Remote Schedule Task Lateral Movement via ITaskSchedulerService
 id: ace3ff54-e7fd-46bd-8ea0-74b49a0aca1d
-status: test
+status: experimental
 description: Detects remote RPC calls to create or execute a scheduled task
 references:
    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
@@ -9,7 +9,7 @@ references:
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.lateral_movement
    - attack.t1053
@@ -1,6 +1,6 @@
 title: Remote Schedule Task Recon via ITaskSchedulerService
 id: 7f7c49eb-2977-4ac8-8ab0-ab1bae14730e
-status: test
+status: experimental
 description: Detects remote RPC calls to read information about scheduled tasks
 references:
    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
@@ -9,7 +9,7 @@ references:
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.discovery
 logsource:
@@ -1,6 +1,6 @@
 title: Remote Printing Abuse for Lateral Movement
 id: bc3a4b0c-e167-48e1-aa88-b3020950e560
-status: test
+status: experimental
 description: Detects remote RPC calls to possibly abuse remote printing service via MS-RPRN / MS-PAR
 references:
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
@@ -11,7 +11,7 @@ references:
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.lateral_movement
 logsource:
@@ -1,6 +1,6 @@
 title: Remote DCOM/WMI Lateral Movement
 id: 68050b10-e477-4377-a99b-3721b422d6ef
-status: test
+status: experimental
 description: Detects remote RPC calls that performs remote DCOM operations. These could be abused for lateral movement via DCOM or WMI.
 references:
    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
@@ -8,7 +8,7 @@ references:
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.lateral_movement
    - attack.t1021.003
@@ -1,6 +1,6 @@
 title: Remote Registry Lateral Movement
 id: 35c55673-84ca-4e99-8d09-e334f3c29539
-status: test
+status: experimental
 description: Detects remote RPC calls to modify the registry and possible execute code
 references:
    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
@@ -9,7 +9,7 @@ references:
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.lateral_movement
    - attack.t1112
@@ -1,6 +1,6 @@
 title: Remote Registry Recon
 id: d8ffe17e-04be-4886-beb9-c1dd1944b9a8
-status: test
+status: experimental
 description: Detects remote RPC calls to collect information
 references:
    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/0fa3191d-bb79-490a-81bd-54c2601b7a78
@@ -9,7 +9,7 @@ references:
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.discovery
 logsource:
@@ -1,6 +1,6 @@
 title: Remote Server Service Abuse
 id: b6ea3cc7-542f-43ef-bbe4-980fbed444c7
-status: test
+status: experimental
 description: Detects remote RPC calls to possibly abuse remote encryption service via MS-SRVS
 references:
    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
@@ -9,7 +9,7 @@ references:
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.lateral_movement
 logsource:
@@ -1,6 +1,6 @@
 title: Remote Server Service Abuse for Lateral Movement
 id: 10018e73-06ec-46ec-8107-9172f1e04ff2
-status: test
+status: experimental
 description: Detects remote RPC calls to possibly abuse remote encryption service via MS-EFSR
 references:
    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9
@@ -9,7 +9,7 @@ references:
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.lateral_movement
    - attack.t1569.002
@@ -1,6 +1,6 @@
 title: Remote Schedule Task Lateral Movement via SASec
 id: aff229ab-f8cd-447b-b215-084d11e79eb0
-status: test
+status: experimental
 description: Detects remote RPC calls to create or execute a scheduled task via SASec
 references:
    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931
@@ -9,7 +9,7 @@ references:
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.lateral_movement
    - attack.t1053
@@ -1,6 +1,6 @@
 title: SharpHound Recon Account Discovery
 id: 65f77b1e-8e79-45bf-bb67-5988a8ce45a5
-status: test
+status: experimental
 description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
 references:
    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3
@@ -9,7 +9,7 @@ references:
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.t1087
    - attack.discovery
@@ -1,6 +1,6 @@
 title: SharpHound Recon Sessions
 id: 6d580420-ff3f-4e0e-b6b0-41b90c787e28
-status: test
+status: experimental
 description: Detects remote RPC calls useb by SharpHound to map remote connections and local group membership.
 references:
    - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183
@@ -9,7 +9,7 @@ references:
    - https://zeronetworks.com/blog/stopping_lateral_movement_via_the_rpc_firewall/
 author: Sagie Dulce, Dekel Paz
 date: 2022/01/01
-modified: 2023/01/25
+modified: 2022/01/01
 tags:
    - attack.t1033
 logsource:
@@ -1,13 +1,12 @@
 title: Disable System Firewall
 id: 53059bc0-1472-438b-956a-7508a94a91f0
-status: test
+status: experimental
 description: Detects disabling of system firewalls which could be used by adversaries to bypass controls that limit usage of the network.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md
    - https://firewalld.org/documentation/man-pages/firewall-cmd.html
 author: 'Pawel Mazur'
 date: 2022/01/22
-modified: 2023/01/25
 tags:
    - attack.t1562.004
    - attack.defense_evasion
@@ -1,12 +1,12 @@
 title: Mimikatz Use
 id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
-status: test
+status: experimental
 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
 references:
    - https://tools.thehacker.recipes/mimikatz/modules
 author: Florian Roth (rule), David ANDRE (additional keywords)
 date: 2017/01/10
-modified: 2023/01/25
+modified: 2022/01/05
 tags:
    - attack.s0002
    - attack.lateral_movement
@@ -1,12 +1,11 @@
 title: Delete Log from Application
 id: b1decb61-ed83-4339-8e95-53ea51901720
-status: test
+status: experimental
 description: Deletion of log files is a known anti-forensic technique
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
 author: frack113
 date: 2022/01/16
-modified: 2023/01/25
 tags:
    - attack.defense_evasion
    - attack.t1070.004
@@ -1,6 +1,6 @@
 title: New Shim Database Created in the Default Directory
 id: ee63c85c-6d51-4d12-ad09-04e25877a947
-status: test
+status: experimental
 description: |
    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
    The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time.
@@ -8,7 +8,6 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory
 author: frack113
 date: 2021/12/29
-modified: 2023/01/25
 tags:
    - attack.persistence
    - attack.t1547.009
@@ -1,6 +1,6 @@
 title: Creation Exe for Service with Unquoted Path
 id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9
-status: test
+status: experimental
 description: |
    Adversaries may execute their own malicious payloads by hijacking vulnerable file path references.
    Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.
@@ -8,7 +8,6 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md
 author: frack113
 date: 2021/12/30
-modified: 2023/01/25
 tags:
    - attack.persistence
    - attack.t1547.009
@@ -1,6 +1,6 @@
 title: Dynamic C Sharp Compile Artefact
 id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0
-status: test
+status: experimental
 description: |
    When C# is compiled dynamically, a .cmdline file will be created as a part of the process.
    Certain processes are not typically observed compiling C# code, but can do so without touching disk.
@@ -9,7 +9,6 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile
 author: frack113
 date: 2022/01/09
-modified: 2023/01/25
 tags:
    - attack.defense_evasion
    - attack.t1027.004
@@ -1,12 +1,11 @@
 title: Installation of TeamViewer Desktop
 id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d
-status: test
+status: experimental
 description: TeamViewer_Desktop.exe is create during install
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows
 author: frack113
 date: 2022/01/28
-modified: 2023/01/25
 tags:
    - attack.command_and_control
    - attack.t1219
@@ -1,12 +1,11 @@
 title: Suspicious Creation TXT File in User Desktop
 id: caf02a0a-1e1c-4552-9b48-5e070bd88d11
-status: test
+status: experimental
 description: Ransomware create txt file in the user Desktop
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note
 author: frack113
 date: 2021/12/26
-modified: 2023/01/25
 tags:
    - attack.impact
    - attack.t1486
@@ -1,12 +1,12 @@
 title: Suspicious Scheduled Task Write to System32 Tasks
 id: 80e1f67a-4596-4351-98f5-a9c3efabac95
-status: test
+status: experimental
 description: Detects the creation of tasks from processes executed from suspicious locations
 references:
    - Internal Research
 author: Florian Roth
 date: 2021/11/16
-modified: 2023/01/25
+modified: 2022/01/12
 tags:
    - attack.persistence
    - attack.execution
@@ -1,12 +1,12 @@
 title: WMI Modules Loaded
 id: 671bb7e3-a020-4824-a00e-2ee5b55f385e
-status: test
+status: experimental
 description: Detects non wmiprvse loading WMI modules
 references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html
 author: Roberto Rodriguez @Cyb3rWard0g
 date: 2019/08/10
-modified: 2023/01/25
+modified: 2022/01/12
 tags:
    - attack.execution
    - attack.t1047
@@ -1,13 +1,12 @@
 title: Download a File with IMEWDBLD.exe
 id: 8d7e392e-9b28-49e1-831d-5949c6281228
-status: test
+status: experimental
 description: Use IMEWDBLD.exe (built-in to windows) to download a file
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download
    - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/
 author: frack113
 date: 2022/01/22
-modified: 2023/01/25
 tags:
    - attack.command_and_control
    - attack.t1105
@@ -1,6 +1,6 @@
 title: Msiexec Initiated Connection
 id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f
-status: test
+status: experimental
 description: |
    Adversaries may abuse msiexec.exe to proxy execution of malicious payloads.
    Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi)
@@ -9,7 +9,6 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
 author: frack113
 date: 2022/01/16
-modified: 2023/01/25
 tags:
    - attack.defense_evasion
    - attack.t1218.007
@@ -1,13 +1,12 @@
 title: Powershell Create Scheduled Task
 id: 363eccc0-279a-4ccf-a3ab-24c2e63b11fb
-status: test
+status: experimental
 description: Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task
 author: frack113
 date: 2021/12/28
-modified: 2023/01/25
 tags:
    - attack.persistence
    - attack.t1053.005
@@ -1,6 +1,6 @@
 title: Registry-Free Process Scope COR_PROFILER
 id: 23590215-4702-4a70-8805-8dc9e58314a2
-status: test
+status: experimental
 description: |
    Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.
    The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).
@@ -11,7 +11,6 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler
 author: frack113
 date: 2021/12/30
-modified: 2023/01/25
 tags:
    - attack.persistence
    - attack.t1574.012
@@ -1,13 +1,12 @@
 title: Create Volume Shadow Copy with Powershell
 id: afd12fed-b0ec-45c9-a13d-aa86625dac81
-status: test
+status: experimental
 description: Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
 references:
    - https://attack.mitre.org/datasources/DS0005/
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7
 author: frack113
 date: 2022/01/12
-modified: 2023/01/25
 tags:
    - attack.credential_access
    - attack.t1003.003
@@ -1,6 +1,6 @@
 title: Manipulation of User Computer or Group Security Principals Across AD
 id: b29a93fb-087c-4b5b-a84d-ee3309e69d08
-status: test
+status: experimental
 description: |
    Adversaries may create a domain account to maintain access to victim systems.
    Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
@@ -9,7 +9,6 @@ references:
    - https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0
 author: frack113
 date: 2021/12/28
-modified: 2023/01/25
 tags:
    - attack.persistence
    - attack.t1136.002
@@ -1,13 +1,12 @@
 title: Enable Windows Remote Management
 id: 991a9744-f2f0-44f2-bd33-9092eba17dc3
-status: test
+status: experimental
 description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
 author: frack113
 date: 2022/01/07
-modified: 2023/01/25
 tags:
    - attack.lateral_movement
    - attack.t1021.006
@@ -1,6 +1,6 @@
 title: Service Registry Permissions Weakness Check
 id: 95afc12e-3cbb-40c3-9340-84a032e596a3
-status: test
+status: experimental
 description: |
    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
    Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
@@ -10,7 +10,6 @@ references:
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2
 author: frack113
 date: 2021/12/30
-modified: 2023/01/25
 tags:
    - attack.persistence
    - attack.t1574.011
@@ -1,13 +1,12 @@
 title: Execute Invoke-command on Remote Host
 id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6
-status: test
+status: experimental
 description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2
 author: frack113
 date: 2022/01/07
-modified: 2023/01/25
 tags:
    - attack.lateral_movement
    - attack.t1021.006
@@ -1,13 +1,12 @@
 title: Powershell DNSExfiltration
 id: d59d7842-9a21-4bc6-ba98-64bfe0091355
-status: test
+status: experimental
 description: DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh
    - https://github.com/Arno0x/DNSExfiltrator
 author: frack113
 date: 2022/01/07
-modified: 2023/01/25
 tags:
    - attack.exfiltration
    - attack.t1048
@@ -1,6 +1,6 @@
 title: Powershell LocalAccount Manipulation
 id: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c
-status: test
+status: experimental
 description: |
    Adversaries may manipulate accounts to maintain access to victim systems.
    Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
@@ -9,7 +9,6 @@ references:
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
 author: frack113
 date: 2021/12/28
-modified: 2023/01/25
 tags:
    - attack.persistence
    - attack.t1098
@@ -1,6 +1,6 @@
 title: Code Executed Via Office Add-in XLL File
 id: 36fbec91-fa1b-4d5d-8df1-8d8edcb632ad
-status: test
+status: experimental
 description: |
    Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
    Office add-ins can be used to add functionality to Office programs
@@ -8,7 +8,6 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md
 author: frack113
 date: 2021/12/28
-modified: 2023/01/25
 tags:
    - attack.persistence
    - attack.t1137.006
@@ -1,6 +1,6 @@
 title: Request A Single Ticket via PowerShell
 id: a861d835-af37-4930-bcd6-5b178bfb54df
-status: test
+status: experimental
 description: |
    utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.
    This behavior is typically used during a kerberos or silver ticket attack.
@@ -9,7 +9,6 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
 author: frack113
 date: 2021/12/28
-modified: 2023/01/25
 tags:
    - attack.credential_access
    - attack.t1558.003
@@ -1,6 +1,6 @@
 title: Powershell Execute Batch Script
 id: b5522a23-82da-44e5-9c8b-e10ed8955f88
-status: test
+status: experimental
 description: |
    Adversaries may abuse the Windows command shell for execution.
    The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.
@@ -11,7 +11,6 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script
 author: frack113
 date: 2022/01/02
-modified: 2023/01/25
 tags:
    - attack.execution
    - attack.t1059.003
@@ -1,6 +1,6 @@
 title: Suspicious Connection to Remote Account
 id: 1883444f-084b-419b-ac62-e0d0c5b3693f
-status: test
+status: experimental
 description: |
    Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
    Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
@@ -8,7 +8,6 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
 author: frack113
 date: 2021/12/27
-modified: 2023/01/25
 tags:
    - attack.credential_access
    - attack.t1110.001
@@ -1,6 +1,6 @@
 title: Remove Account From Domain Admin Group
 id: 48a45d45-8112-416b-8a67-46e03a4b2107
-status: test
+status: experimental
 description: |
    Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
    Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
@@ -8,7 +8,6 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
 author: frack113
 date: 2021/12/26
-modified: 2023/01/25
 tags:
    - attack.impact
    - attack.t1531
@@ -1,13 +1,12 @@
 title: Suspicious SSL Connection
 id: 195626f3-5f1b-4403-93b7-e6cfd4d6a078
-status: test
+status: experimental
 description: Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2
    - https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
 author: frack113
 date: 2022/01/23
-modified: 2023/01/25
 tags:
    - attack.command_and_control
    - attack.t1573
@@ -1,13 +1,12 @@
 title: Suspicious Start-Process PassThru
 id: 0718cd72-f316-4aa2-988f-838ea8533277
-status: test
+status: experimental
 description: Powershell use PassThru option to start in background
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
 author: frack113
 date: 2022/01/15
-modified: 2023/01/25
 tags:
    - attack.defense_evasion
    - attack.t1036.003
@@ -1,6 +1,6 @@
 title: Replace Desktop Wallpaper by Powershell
 id: c5ac6a1e-9407-45f5-a0ce-ca9a0806a287
-status: test
+status: experimental
 description: |
    An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
    This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
@@ -8,7 +8,6 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md
 author: frack113
 date: 2021/12/26
-modified: 2023/01/25
 tags:
    - attack.impact
    - attack.t1491.001
@@ -1,6 +1,6 @@
 title: Testing Usage of Uncommonly Used Port
 id: adf876b3-f1f8-4aa9-a4e4-a64106feec06
-status: test
+status: experimental
 description: |
    Adversaries may communicate using a protocol and port paring that are typically not associated.
    For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
@@ -9,7 +9,6 @@ references:
    - https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps
 author: frack113
 date: 2022/01/23
-modified: 2023/01/25
 tags:
    - attack.command_and_control
    - attack.t1571
@@ -1,13 +1,12 @@
 title: WinRM Access with Evil-WinRM
 id: a197e378-d31b-41c0-9635-cfdf1c1bb423
-status: test
+status: experimental
 description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm
    - https://github.com/Hackplayers/evil-winrm
 author: frack113
 date: 2022/01/07
-modified: 2023/01/25
 tags:
    - attack.lateral_movement
    - attack.t1021.006
@@ -1,12 +1,11 @@
 title: Findstr GPP Passwords
 id: 91a2c315-9ee6-4052-a853-6f6a8238f90d
-status: test
+status: experimental
 description: Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.006/T1552.006.md#atomic-test-1---gpp-passwords-findstr
 author: frack113
 date: 2021/12/27
-modified: 2023/01/25
 tags:
    - attack.credential_access
    - attack.t1552.006
@@ -1,12 +1,11 @@
 title: File Download with Headless Browser
 id: 0e8cfe08-02c9-4815-a2f8-0d157b7ed33e
-status: test
+status: experimental
 description: This is an unusual method to download files. It starts a browser headless and downloads a file from a location. This can be used by threat actors to download files.
 references:
    - https://twitter.com/mrd0x/status/1478234484881436672?s=12
 author: Sreeman, Florian Roth
 date: 2022/01/04
-modified: 2023/01/25
 tags:
    - attack.command_and_control
    - attack.t1105
@@ -1,12 +1,11 @@
 title: GatherNetworkInfo.vbs Script Usage
 id: 575dce0c-8139-4e30-9295-1ee75969f7fe
-status: test
+status: experimental
 description: Adversaries can abuse of C:\Windows\System32\gatherNetworkInfo.vbs script along with cscript.exe to gather information about the target
 references:
    - https://posts.slayerlabs.com/living-off-the-land/#gathernetworkinfovbs
 author: blueteamer8699
 date: 2022/01/03
-modified: 2023/01/25
 tags:
    - attack.discovery
    - attack.execution
@@ -1,6 +1,6 @@
 title: Suspicious LOLBIN AccCheckConsole
 id: 0f6da907-5854-4be6-859a-e9958747b0aa
-status: test
+status: experimental
 description: Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL
 references:
    - https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340
@@ -8,7 +8,6 @@ references:
    - https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/
 author: Florian Roth
 date: 2022/01/06
-modified: 2023/01/25
 tags:
    - attack.execution
 logsource:
@@ -1,12 +1,11 @@
 title: Suspicious Minimized MSEdge Start
 id: 94771a71-ba41-4b6e-a757-b531372eaab6
-status: test
+status: experimental
 description: Detects the suspicious minimized start of MsEdge browser, which can be used to download files from the Internet
 references:
    - https://twitter.com/mrd0x/status/1478234484881436672?s=12
 author: Florian Roth
 date: 2022/01/11
-modified: 2023/01/25
 tags:
    - attack.command_and_control
    - attack.t1105
@@ -1,13 +1,12 @@
 title: Netsh Allow Group Policy on Microsoft Defender Firewall
 id: 347906f3-e207-4d18-ae5b-a9403d6bcdef
-status: test
+status: experimental
 description: Adversaries may  modify system firewalls in order to bypass controls limiting network usage
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall
    - https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior
 author: frack113
 date: 2022/01/09
-modified: 2023/01/25
 tags:
    - attack.defense_evasion
    - attack.t1562.004
@@ -1,12 +1,11 @@
 title: Procdump Evasion
 id: 79b06761-465f-4f88-9ef2-150e24d3d737
-status: test
+status: experimental
 description: Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name
 references:
    - https://twitter.com/mrd0x/status/1480785527901204481
 author: Florian Roth
 date: 2022/01/11
-modified: 2023/01/25
 tags:
    - attack.defense_evasion
    - attack.t1036
@@ -1,12 +1,12 @@
 title: PurpleSharp Indicator
 id: ff23ffbc-3378-435e-992f-0624dcf93ab4
-status: test
+status: experimental
 description: Detects the execution of the PurpleSharp adversary simulation tool
 references:
    - https://github.com/mvelazc0/PurpleSharp
 author: Florian Roth
 date: 2021/06/18
-modified: 2023/01/25
+modified: 2022/01/12
 tags:
    - attack.t1587
    - attack.resource_development
@@ -1,13 +1,12 @@
 title: Registry Parse with Pypykatz
 id: a29808fd-ef50-49ff-9c7a-59a9b040b404
-status: test
+status: experimental
 description: Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored
 references:
    - https://github.com/skelsec/pypykatz
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-2---registry-parse-with-pypykatz
 author: frack113
 date: 2022/01/05
-modified: 2023/01/25
 tags:
    - attack.credential_access
    - attack.t1003.002
@@ -1,12 +1,11 @@
 title: Registry Dump of SAM Creds and Secrets
 id: 038cd51c-3ad8-41c5-ba8f-5d1c92f3cc1e
-status: test
+status: experimental
 description: Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through Windows Registry where the SAM database is stored
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets
 author: frack113
 date: 2022/01/05
-modified: 2023/01/25
 tags:
    - attack.credential_access
    - attack.t1003.002
@@ -1,12 +1,11 @@
 title: Run from a Zip File
 id: 1a70042a-6622-4a2b-8958-267625349abf
-status: test
+status: experimental
 description: Payloads may be compressed, archived, or encrypted in order to avoid detection
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-4---execution-from-compressed-file
 author: frack113
 date: 2021/12/26
-modified: 2023/01/25
 tags:
    - attack.impact
    - attack.t1485
@@ -1,6 +1,6 @@
 title: Suspicious Execution of Adidnsdump
 id: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160
-status: test
+status: experimental
 description: |
    This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,
    Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
@@ -8,7 +8,6 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump
 author: frack113
 date: 2022/01/01
-modified: 2023/01/25
 tags:
    - attack.discovery
    - attack.t1018
@@ -1,13 +1,12 @@
 title: Obfuscated Command Line Using Special Unicode Characters
 id: e0552b19-5a83-4222-b141-b36184bb8d79
-status: test
+status: experimental
 description: Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.
 references:
    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http
 author: frack113
 date: 2022/01/15
-modified: 2023/01/25
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -1,12 +1,11 @@
 title: Cscript Visual Basic Script Execution
 id: 23250293-eed5-4c39-b57a-841c8933a57d
-status: test
+status: experimental
 description: Adversaries may abuse Visual Basic (VB) for execution
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.005/T1059.005.md
 author: frack113
 date: 2022/01/02
-modified: 2023/01/25
 tags:
    - attack.execution
    - attack.t1059.005
@@ -1,13 +1,12 @@
 title: Suspicious Curl Change User Agents
 id: 3286d37a-00fd-41c2-a624-a672dcd34e60
-status: test
+status: experimental
 description: Detects a suspicious curl process start on Windows with set useragent options
 references:
    - https://curl.se/docs/manpage.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd
 author: frack113
 date: 2022/01/23
-modified: 2023/01/25
 tags:
    - attack.command_and_control
    - attack.t1071.001
@@ -1,12 +1,11 @@
 title: DevInit Lolbin Download
 id: 90d50722-0483-4065-8e35-57efaadd354d
-status: test
+status: experimental
 description: Detects a certain command line flag combination used by devinit.exe lolbin to download arbitrary MSI packages on a Windows system
 references:
    - https://twitter.com/mrd0x/status/1460815932402679809
 author: Florian Roth
 date: 2022/01/11
-modified: 2023/01/25
 tags:
    - attack.execution
    - attack.defense_evasion
@@ -1,13 +1,12 @@
 title: Suspicious Kernel Dump Using Dtrace
 id: 7124aebe-4cd7-4ccb-8df0-6d6b93c96795
-status: test
+status: experimental
 description: Detects suspicious way to dump the kernel on Windows systems using dtrace.exe, which is available on Windows systems since Windows 10 19H1
 references:
    - https://twitter.com/0gtweet/status/1474899714290208777?s=12
    - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace
 author: Florian Roth
 date: 2021/12/28
-modified: 2023/01/25
 logsource:
    product: windows
    category: process_creation
@@ -1,13 +1,12 @@
 title: Format.com FileSystem LOLBIN
 id: 9fb6b26e-7f9e-4517-a48b-8cac4a1b6c60
-status: test
+status: experimental
 description: Detects the execution of format.com with a suspicious filesystem selection that could indicate a defense evasion activity in which format.com is used to load malicious DLL files or other programs
 references:
    - https://twitter.com/0gtweet/status/1477925112561209344
    - https://twitter.com/wdormann/status/1478011052130459653?s=20
 author: Florian Roth
 date: 2022/01/04
-modified: 2023/01/25
 tags:
    - attack.defense_evasion
 logsource:
@@ -1,13 +1,12 @@
 title: Suspicious Execution of Hostname
 id: 7be5fb68-f9ef-476d-8b51-0256ebece19e
-status: test
+status: experimental
 description: Use of hostname to get information
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname
 author: frack113
 date: 2022/01/01
-modified: 2023/01/25
 tags:
    - attack.discovery
    - attack.t1082
@@ -1,12 +1,11 @@
 title: Suspicious Query of MachineGUID
 id: f5240972-3938-4e56-8e4b-e33893176c1f
-status: test
+status: experimental
 description: Use of reg to get MachineGuid information
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-8---windows-machineguid-discovery
 author: frack113
 date: 2022/01/01
-modified: 2023/01/25
 tags:
    - attack.discovery
    - attack.t1082
@@ -1,12 +1,11 @@
 title: NodejsTools PressAnyKey Lolbin
 id: a20391f8-76fb-437b-abc0-dba2df1952c6
-status: test
+status: experimental
 description: Detects a certain command line flag combination used by Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
 references:
    - https://twitter.com/mrd0x/status/1463526834918854661
 author: Florian Roth
 date: 2022/01/11
-modified: 2023/01/25
 tags:
    - attack.execution
    - attack.defense_evasion
@@ -1,13 +1,12 @@
 title: Use Radmin Viewer Utility
 id: 5817e76f-4804-41e6-8f1d-5fa0b3ecae2d
-status: test
+status: experimental
 description: An adversary may use Radmin Viewer Utility to remotely control Windows device
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md
    - https://www.radmin.fr/
 author: frack113
 date: 2022/01/22
-modified: 2023/01/25
 tags:
    - attack.execution
    - attack.lateral_movement
@@ -1,12 +1,11 @@
 title: Rundll32 JS RunHTMLApplication Pattern
 id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3
-status: test
+status: experimental
 description: Detects suspicious command line patterns used when rundll32 is used to run JavaScript code
 references:
    - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
 author: Florian Roth
 date: 2022/01/14
-modified: 2023/01/25
 tags:
    - attack.defense_evasion
 logsource:
@@ -1,13 +1,12 @@
 title: Suspicious Execution of Shutdown
 id: 34ebb878-1b15-4895-b352-ca2eeb99b274
-status: test
+status: experimental
 description: Use of the commandline to shutdown or reboot windows
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
 author: frack113
 date: 2022/01/01
-modified: 2023/01/25
 tags:
    - attack.impact
    - attack.t1529
@@ -1,6 +1,6 @@
 title: NirCmd Tool Execution As LOCAL SYSTEM
 id: d9047477-0359-48c9-b8c7-792cedcdc9c4
-status: test
+status: experimental
 description: Detects the use of NirCmd tool for command execution as SYSTEM user
 references:
    - https://www.nirsoft.net/utils/nircmd.html
@@ -8,7 +8,6 @@ references:
    - https://www.nirsoft.net/utils/nircmd2.html#using
 author: 'Florian Roth, Nasreddine Bencherchali @nas_bench'
 date: 2022/01/24
-modified: 2023/01/25
 tags:
    - attack.execution
    - attack.t1569.002
@@ -1,13 +1,12 @@
 title: RunXCmd Tool Execution As System
 id: 93199800-b52a-4dec-b762-75212c196542
-status: test
+status: experimental
 description: Detects the use of RunXCmd tool for command execution
 references:
    - https://www.d7xtech.com/free-software/runx/
    - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/
 author: Florian Roth
 date: 2022/01/24
-modified: 2023/01/25
 tags:
    - attack.execution
    - attack.t1569.002
@@ -1,12 +1,11 @@
 title: Uninstall Sysinternals Sysmon
 id: 6a5f68d1-c4b5-46b9-94ee-5324892ea939
-status: test
+status: experimental
 description: Detects the uninstallation of Sysinternals Sysmon, which could be the result of legitimate administration or a manipulation for defense evasion
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-11---uninstall-sysmon
 author: frack113
 date: 2022/01/12
-modified: 2023/01/25
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -1,12 +1,11 @@
 title: XORDump Use
 id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372
-status: test
+status: experimental
 description: Detects suspicious use of XORDump process memory dumping utility
 references:
    - https://github.com/audibleblink/xordump
 author: Florian Roth
 date: 2022/01/28
-modified: 2023/01/25
 tags:
    - attack.defense_evasion
    - attack.t1036
@@ -1,6 +1,6 @@
 title: Shell Open Registry Keys Manipulation
 id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7
-status: test
+status: experimental
 description: Detects the shell open key manipulation (exefile and ms-settings) used for persistence and the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62)
 references:
    - https://github.com/hfiref0x/UACME
@@ -9,7 +9,7 @@ references:
    - https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]
 author: Christian Burkard
 date: 2021/08/30
-modified: 2023/01/25
+modified: 2022/01/13
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
@@ -1,12 +1,11 @@
 title: Sysmon Configuration Change
 id: 8ac03a65-6c84-4116-acad-dc1558ff7a77
-status: test
+status: experimental
 description: Detects a Sysmon configuration change, which could be the result of a legitimate reconfiguration or someone trying manipulate the configuration
 references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
 author: frack113
 date: 2022/01/12
-modified: 2023/01/25
 tags:
    - attack.defense_evasion
 logsource: