From e8fed8709c029803205058c2982465df439c2667 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 14 Aug 2025 14:05:46 +0200 Subject: [PATCH] Merge PR #5572 from @nasbench - Promote older rules status from `experimental` to `test` Co-authored-by: nasbench --- .../dns_query/dns_query_win_wscript_cscript_resolution.yml | 2 +- ...n_security_susp_group_policy_startup_script_added_to_gpo.yml | 2 +- .../network_connection/net_connection_win_domain_btunnels.yml | 2 +- .../proc_creation_win_remote_access_tools_meshagent_exec.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules-placeholder/windows/dns_query/dns_query_win_wscript_cscript_resolution.yml b/rules-placeholder/windows/dns_query/dns_query_win_wscript_cscript_resolution.yml index 3123561fc..2d64963eb 100644 --- a/rules-placeholder/windows/dns_query/dns_query_win_wscript_cscript_resolution.yml +++ b/rules-placeholder/windows/dns_query/dns_query_win_wscript_cscript_resolution.yml @@ -1,6 +1,6 @@ title: DNS Request From Windows Script Host id: 12310575-e8b1-475c-a976-57ed540b349c -status: experimental +status: test description: | Detects unusual domain resolutions originating from CScript/WScript that can identify malicious javascript files executing in an environment, often as a result from a phishing or watering hole attack. author: Josh Nickels, Marius Rothenbücher diff --git a/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml b/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml index e9baa491f..0ec841bc7 100644 --- a/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml +++ b/rules/windows/builtin/security/win_security_susp_group_policy_startup_script_added_to_gpo.yml @@ -1,6 +1,6 @@ title: Startup/Logon Script Added to Group Policy Object id: 123e4e6d-b123-48f8-b261-7214938acaf0 -status: experimental +status: test description: | Detects the modification of Group Policy Objects (GPO) to add a startup/logon script to users or computer objects. references: diff --git a/rules/windows/network_connection/net_connection_win_domain_btunnels.yml b/rules/windows/network_connection/net_connection_win_domain_btunnels.yml index 4ee6e025c..233a2b2f0 100644 --- a/rules/windows/network_connection/net_connection_win_domain_btunnels.yml +++ b/rules/windows/network_connection/net_connection_win_domain_btunnels.yml @@ -1,6 +1,6 @@ title: Network Connection Initiated To BTunnels Domains id: 9e02c8ec-02b9-43e8-81eb-34a475ba7965 -status: experimental +status: test description: | Detects network connections to BTunnels domains initiated by a process on the system. Attackers can abuse that feature to establish a reverse shell or persistence on a machine. diff --git a/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml index 771b60d57..72479c606 100644 --- a/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml +++ b/rules/windows/process_creation/proc_creation_win_remote_access_tools_meshagent_exec.yml @@ -1,6 +1,6 @@ title: Remote Access Tool - MeshAgent Command Execution via MeshCentral id: 74a2b202-73e0-4693-9a3a-9d36146d0775 -status: experimental +status: test description: | Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.