Merge PR #5177 from @nasbench - promote older rules status from `expe…

…rimental` to `test`

chore: promote older rules status from `experimental` to `test`

Co-authored-by: nasbench <[email protected]>

rules-emerging-threats/2024/Exploits/CVE-2024-1212/web_exploit_cve_2024_1212_.yml

@@ -1,6 +1,6 @@
 title: CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection
 id: eafb8bd5-7605-4bfe-a9ec-0442bc151f15
-status: experimental
+status: test
 description: |
     Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster.
     It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.

rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_lnk_lure_execution.yml

@@ -1,6 +1,6 @@
 title: Potential KamiKakaBot Activity - Lure Document Execution
 id: 24474469-bd80-46cc-9e08-9fbe81bfaaca
-status: experimental
+status: test
 description: |
     Detects the execution of a Word document via the WinWord Start Menu shortcut.
     This behavior was observed being used by KamiKakaBot samples in order to initiate the 2nd stage of the infection.

rules-emerging-threats/2024/Malware/KamiKakaBot/proc_creation_win_malware_kamikakabot_schtasks_persistence.yml

@@ -1,6 +1,6 @@
 title: Potential KamiKakaBot Activity - Shutdown Schedule Task Creation
 id: fe9e8ba9-4419-41e6-a574-bd9f7b3af961
-status: experimental
+status: test
 description: |
     Detects the creation of a schedule task that runs weekly and execute the "shutdown /l /f" command.
     This behavior was observed being used by KamiKakaBot samples in order to achieve persistence on a system.

rules-emerging-threats/2024/Malware/KamiKakaBot/registry_set_malware_kamikakabot_winlogon_persistence.yml

@@ -1,6 +1,6 @@
 title: Potential KamiKakaBot Activity - Winlogon Shell Persistence
 id: c9b86500-1ec2-4de6-9120-d744c8fb5caf
-status: experimental
+status: test
 description: |
     Detects changes to the "Winlogon" registry key where a process will set the value of the "Shell" to a value that was observed being used by KamiKakaBot samples in order to achieve persistence.
 references:

rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml

@@ -1,6 +1,6 @@
 title: Dfsvc.EXE Network Connection To Non-Local IPs
 id: 3c21219b-49b5-4268-bce6-c914ed50f09c
-status: experimental
+status: test
 description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to non-local IPs
 references:
     - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5

rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml

@@ -1,6 +1,6 @@
 title: Network Connection Initiated By PowerShell Process
 id: 1f21ec3f-810d-4b0e-8045-322202e22b4b
-status: experimental
+status: test
 description: |
     Detects a network connection that was initiated from a PowerShell process.
     Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs.

rules-threat-hunting/windows/registry/registry_set/registry_set_service_image_path_user_controlled_folder.yml

@@ -3,7 +3,7 @@ id: 277dc340-0540-42e7-8efb-5ff460045e07
 related:
     - id: 277dc340-0540-42e7-8efb-5ff460045e07
       type: obsolete
-status: experimental
+status: test
 description: |
     Detects the setting of the "ImagePath" value of a service registry key to a path controlled by a non-administrator user such as "\AppData\" or "\ProgramData\".
     Attackers often use such directories for staging purposes.

rules/application/kubernetes/audit/kubernetes_audit_deployment_deleted.yml

@@ -1,6 +1,6 @@
 title: Deployment Deleted From Kubernetes Cluster
 id: 40967487-139b-4811-81d9-c9767a92aa5a
-status: experimental
+status: test
 description: |
     Detects the removal of a deployment from a Kubernetes cluster.
     This could indicate disruptive activity aiming to impact business operations.

rules/application/kubernetes/audit/kubernetes_audit_events_deleted.yml

@@ -3,7 +3,7 @@ id: 3132570d-cab2-4561-9ea6-1743644b2290
 related:
     - id: 225d8b09-e714-479c-a0e4-55e6f29adf35
       type: derived
-status: experimental
+status: test
 description: |
     Detects when events are deleted in Kubernetes.
     An adversary may delete Kubernetes events in an attempt to evade detection.

rules/application/kubernetes/audit/kubernetes_audit_exec_into_container.yml

@@ -1,6 +1,6 @@
 title: Potential Remote Command Execution In Pod Container
 id: a1b0ca4e-7835-413e-8471-3ff2b8a66be6
-status: experimental
+status: test
 description: |
     Detects attempts to execute remote commands, within a Pod's container using e.g. the "kubectl exec" command.
 references:

rules/application/kubernetes/audit/kubernetes_audit_hostpath_mount.yml

@@ -1,6 +1,6 @@
 title: Container With A hostPath Mount Created
 id: 402b955c-8fe0-4a8c-b635-622b4ac5f902
-status: experimental
+status: test
 description: |
     Detects creation of a container with a hostPath mount.
     A hostPath volume mounts a directory or a file from the node to the container.

rules/application/kubernetes/audit/kubernetes_audit_pod_in_system_namespace.yml

@@ -1,6 +1,6 @@
 title: Creation Of Pod In System Namespace
 id: a80d927d-ac6e-443f-a867-e8d6e3897318
-status: experimental
+status: test
 description: |
     Detects deployments of pods within the kube-system namespace, which could be intended to imitate system pods.
     System pods, created by controllers such as Deployments or DaemonSets have random suffixes in their names.

rules/application/kubernetes/audit/kubernetes_audit_privileged_pod_creation.yml

@@ -1,6 +1,6 @@
 title: Privileged Container Deployed
 id: c5cd1b20-36bb-488d-8c05-486be3d0cb97
-status: experimental
+status: test
 description: |
     Detects the creation of a "privileged" container, an action which could be indicative of a threat actor mounting a container breakout attacks.
     A privileged container is a container that can access the host with all of the root capabilities of the host machine. This allows it to view, interact and modify processes, network operations, IPC calls, the file system, mount points, SELinux configurations etc. as the root user on the host.

rules/application/kubernetes/audit/kubernetes_audit_rbac_permisions_listing.yml

@@ -1,6 +1,6 @@
 title: RBAC Permission Enumeration Attempt
 id: 84b777bd-c946-4d17-aa2e-c39f5a454325
-status: experimental
+status: test
 description: |
     Detects identities attempting to enumerate their Kubernetes RBAC permissions.
     In the early stages of a breach, attackers will aim to list the permissions they have within the compromised environment.

rules/application/kubernetes/audit/kubernetes_audit_secrets_enumeration.yml

@@ -3,7 +3,7 @@ id: eeb3e9e1-b685-44e4-9232-6bb701f925b5
 related:
     - id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
       type: derived
-status: experimental
+status: test
 description: Detects enumeration of Kubernetes secrets.
 references:
     - https://microsoft.github.io/Threat-Matrix-for-Kubernetes/techniques/List%20K8S%20secrets/

rules/application/kubernetes/audit/kubernetes_audit_serviceaccount_creation.yml

@@ -3,7 +3,7 @@ id: e31bae15-83ed-473e-bf31-faf4f8a17d36
 related:
     - id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
       type: derived
-status: experimental
+status: test
 description: |
     Detects creation of new Kubernetes service account, which could indicate an attacker's attempt to persist within a cluster.
 references:

rules/application/kubernetes/audit/kubernetes_audit_sidecar_injection.yml

@@ -1,6 +1,6 @@
 title: Potential Sidecar Injection Into Running Deployment
 id: ad9012a6-e518-4432-9890-f3b82b8fc71f
-status: experimental
+status: test
 description: |
     Detects attempts to inject a sidecar container into a running deployment.
     A sidecar container is an additional container within a pod, that resides alongside the main container.

rules/application/opencanary/opencanary_ftp_login_attempt.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - FTP Login Attempt
 id: 6991bc2b-ae2e-447f-bc55-3a1ba04c14e5
-status: experimental
+status: test
 description: Detects instances where an FTP service on an OpenCanary node has had a login attempt.
 references:
     - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration

rules/application/opencanary/opencanary_git_clone_request.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - GIT Clone Request
 id: 4fe17521-aef3-4e6a-9d6b-4a7c8de155a8
-status: experimental
+status: test
 description: Detects instances where a GIT service on an OpenCanary node has had Git Clone request.
 references:
     - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration

rules/application/opencanary/opencanary_http_get.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - HTTP GET Request
 id: af6c3078-84cd-4c68-8842-08b76bd81b13
-status: experimental
+status: test
 description: Detects instances where an HTTP service on an OpenCanary node has received a GET request.
 references:
     - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration

rules/application/opencanary/opencanary_http_post_login_attempt.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - HTTP POST Login Attempt
 id: af1ac430-df6b-4b38-b976-0b52f07a0252
-status: experimental
+status: test
 description: |
     Detects instances where an HTTP service on an OpenCanary node has had login attempt via Form POST.
 references:

rules/application/opencanary/opencanary_httpproxy_login_attempt.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - HTTPPROXY Login Attempt
 id: 5498fc09-adc6-4804-b9d9-5cca1f0b8760
-status: experimental
+status: test
 description: |
     Detects instances where an HTTPPROXY service on an OpenCanary node has had an attempt to proxy another page.
 references:

rules/application/opencanary/opencanary_mssql_login_sqlauth.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - MSSQL Login Attempt Via SQLAuth
 id: 3ec9a16d-0b4f-4967-9542-ebf38ceac7dd
-status: experimental
+status: test
 description: |
     Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using SQLAuth.
 references:

rules/application/opencanary/opencanary_mssql_login_winauth.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - MSSQL Login Attempt Via Windows Authentication
 id: 6e78f90f-0043-4a01-ac41-f97681613a66
-status: experimental
+status: test
 description: |
     Detects instances where an MSSQL service on an OpenCanary node has had a login attempt using Windows Authentication.
 references:

rules/application/opencanary/opencanary_mysql_login_attempt.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - MySQL Login Attempt
 id: e7d79a1b-25ed-4956-bd56-bd344fa8fd06
-status: experimental
+status: test
 description: Detects instances where a MySQL service on an OpenCanary node has had a login attempt.
 references:
     - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration

rules/application/opencanary/opencanary_ntp_monlist.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - NTP Monlist Request
 id: 7cded4b3-f09e-405a-b96f-24248433ba44
-status: experimental
+status: test
 description: Detects instances where an NTP service on an OpenCanary node has had a NTP monlist request.
 references:
     - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration

rules/application/opencanary/opencanary_redis_command.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - REDIS Action Command Attempt
 id: 547dfc53-ebf6-4afe-8d2e-793d9574975d
-status: experimental
+status: test
 description: Detects instances where a REDIS service on an OpenCanary node has had an action command attempted.
 references:
     - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration

rules/application/opencanary/opencanary_sip_request.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - SIP Request
 id: e30de276-68ec-435c-ab99-ef3befec6c61
-status: experimental
+status: test
 description: Detects instances where an SIP service on an OpenCanary node has had a SIP request.
 references:
     - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration

rules/application/opencanary/opencanary_smb_file_open.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - SMB File Open Request
 id: 22777c9e-873a-4b49-855f-6072ab861a52
-status: experimental
+status: test
 description: Detects instances where an SMB service on an OpenCanary node has had a file open request.
 references:
     - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration

rules/application/opencanary/opencanary_snmp_cmd.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - SNMP OID Request
 id: e9856028-fd4e-46e6-b3d1-10f7ceb95078
-status: experimental
+status: test
 description: Detects instances where an SNMP service on an OpenCanary node has had an OID request.
 references:
     - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration

rules/application/opencanary/opencanary_ssh_login_attempt.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - SSH Login Attempt
 id: ff7139bc-fdb1-4437-92f2-6afefe8884cb
-status: experimental
+status: test
 description: Detects instances where an SSH service on an OpenCanary node has had a login attempt.
 references:
     - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration

rules/application/opencanary/opencanary_ssh_new_connection.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - SSH New Connection Attempt
 id: cd55f721-5623-4663-bd9b-5229cab5237d
-status: experimental
+status: test
 description: Detects instances where an SSH service on an OpenCanary node has had a connection attempt.
 references:
     - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration

rules/application/opencanary/opencanary_telnet_login_attempt.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - Telnet Login Attempt
 id: 512cff7a-683a-43ad-afe0-dd398e872f36
-status: experimental
+status: test
 description: Detects instances where a Telnet service on an OpenCanary node has had a login attempt.
 references:
     - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration

rules/application/opencanary/opencanary_tftp_request.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - TFTP Request
 id: b4e6b016-a2ac-4759-ad85-8000b300d61e
-status: experimental
+status: test
 description: Detects instances where a TFTP service on an OpenCanary node has had a request.
 references:
     - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration

rules/application/opencanary/opencanary_vnc_connection_attempt.yml

@@ -1,6 +1,6 @@
 title: OpenCanary - VNC Connection Attempt
 id: 9db5446c-b44a-4291-8b89-fcab5609c3b3
-status: experimental
+status: test
 description: Detects instances where a VNC service on an OpenCanary node has had a connection attempt.
 references:
     - https://opencanary.readthedocs.io/en/latest/starting/configuration.html#services-configuration

rules/linux/process_creation/proc_creation_lnx_remote_access_tools_teamviewer_incoming_connection.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: f459ccb4-9805-41ea-b5b2-55e279e2424a
       type: similar
-status: experimental
+status: test
 description: |
     Detects the command line executed when TeamViewer starts a session started by a remote host.
     Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.

rules/macos/process_creation/proc_creation_macos_remote_access_tools_teamviewer_incoming_connection.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: 1f6b8cd4-3e60-47cc-b282-5aa1cbc9182d
       type: similar
-status: experimental
+status: test
 description: |
     Detects the command line executed when TeamViewer starts a session started by a remote host.
     Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.

rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml

@@ -1,6 +1,6 @@
 title: EVTX Created In Uncommon Location
 id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb
-status: experimental
+status: test
 description: |
     Detects the creation of new files with the ".evtx" extension in non-common or non-standard location.
     This could indicate tampering with default EVTX locations in order to evade security controls or simply exfiltration of event log to search for sensitive information within.

rules/windows/network_connection/net_connection_win_domain_external_ip_lookup.yml

@@ -3,7 +3,7 @@ id: edf3485d-dac4-4d50-90e4-b0e5813f7e60
 related:
     - id: ec82e2a5-81ea-4211-a1f8-37a0286df2c2
       type: derived
-status: experimental
+status: test
 description: Detects external IP address lookups by non-browser processes via services such as "api.ipify.org". This could be indicative of potential post compromise internet test activity.
 references:
     - https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md

rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml

@@ -5,7 +5,7 @@ related:
       type: derived
     - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a
       type: similar
-status: experimental
+status: test
 description: |
     Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location.
     This technique is sometimes used by malicious actors in order to redirect the output of reconnaissance commands such as "hostname" and "dir" to files for future exfiltration.

rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml

@@ -5,7 +5,7 @@ related:
       type: derived
     - id: 65d2be45-8600-4042-b4c0-577a1ff8a60e
       type: obsolete
-status: experimental
+status: test
 description: Detects execution of "odbcconf" with the "-f" flag in order to load a response file with a non-".rsp" extension.
 references:
     - https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16

rules/windows/process_creation/proc_creation_win_remote_access_tools_teamviewer_incoming_connection.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: f459ccb4-9805-41ea-b5b2-55e279e2424a
       type: similar
-status: experimental
+status: test
 description: |
     Detects the command line executed when TeamViewer starts a session started by a remote host.
     Once a connection has been started, an investigator can verify the connection details by viewing the "incoming_connections.txt" log file in the TeamViewer folder.

rules/windows/process_creation/proc_creation_win_renamed_nircmd.yml

@@ -1,6 +1,6 @@
 title: Renamed NirCmd.EXE Execution
 id: 264982dc-dbad-4dce-b707-1e0d3e0f73d9
-status: experimental
+status: test
 description: Detects the execution of a renamed "NirCmd.exe" binary based on the PE metadata fields.
 references:
     - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/

rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml

@@ -1,6 +1,6 @@
 title: Rundll32 Execution With Uncommon DLL Extension
 id: c3a99af4-35a9-4668-879e-c09aeb4f2bdf
-status: experimental
+status: test
 description: Detects the execution of rundll32 with a command line that doesn't contain a common extension
 references:
     - https://twitter.com/mrd0x/status/1481630810495139841?s=12

rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml

@@ -1,6 +1,6 @@
 title: Suspicious Command Patterns In Scheduled Task Creation
 id: f2c64357-b1d2-41b7-849f-34d2682c0fad
-status: experimental
+status: test
 description: Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands
 references:
     - https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/

rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml

@@ -1,6 +1,6 @@
 title: Kernel Memory Dump Via LiveKD
 id: c7746f1c-47d3-43d6-8c45-cd1e54b6b0a2
-status: experimental
+status: test
 description: Detects execution of LiveKD with the "-m" flag to potentially dump the kernel memory
 references:
     - https://learn.microsoft.com/en-us/sysinternals/downloads/livekd

rules/windows/process_creation/proc_creation_win_tasklist_module_enumeration.yml

@@ -1,6 +1,6 @@
 title: Loaded Module Enumeration Via Tasklist.EXE
 id: 34275eb8-fa19-436b-b959-3d9ecd53fa1f
-status: experimental
+status: test
 description: |
     Detects the enumeration of a specific DLL or EXE being used by a binary via "tasklist.exe".
     This is often used by attackers in order to find the specific process identifier (PID) that is using the DLL in question.

rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml

@@ -1,6 +1,6 @@
 title: Registry Persistence via Service in Safe Mode
 id: 1547e27c-3974-43e2-a7d7-7f484fb928ec
-status: experimental
+status: test
 description: Detects the modification of the registry to allow a driver or service to persist in Safe Mode.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network