chore: promote older rules status from experimental to test

rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml

@@ -1,6 +1,6 @@
 title: Rejetto HTTP File Server RCE
 id: a133193c-2daa-4a29-8022-018695fcf0ae
-status: experimental
+status: test
 description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
 references:
     - https://vk9-sec.com/hfs-code-execution-cve-2014-6287/

rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml

@@ -7,7 +7,7 @@ related:
       type: similar
     - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation
       type: similar
-status: experimental
+status: test
 description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
 references:
     - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf

rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml

@@ -1,6 +1,6 @@
 title: Potential EmpireMonkey Activity
 id: 10152a7b-b566-438f-a33c-390b607d1c8d
-status: experimental
+status: test
 description: Detects potential EmpireMonkey APT activity
 references:
     - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/

rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml

@@ -1,7 +1,7 @@
 title: Potential CVE-2021-26084 Exploitation Attempt
 id: 38825179-3c78-4fed-b222-2e2166b926b1
 description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection
-status: experimental
+status: test
 references:
     - https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md
     - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md

rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2021-27905 Exploitation Attempt
 id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3
-status: experimental
+status: test
 description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
 references:
     - https://twitter.com/Al1ex4/status/1382981479727128580

rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml

@@ -1,6 +1,6 @@
 title: Suspicious Word Cab File Write CVE-2021-40444
 id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
-status: experimental
+status: test
 description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
 references:
     - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20

rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml

@@ -1,6 +1,6 @@
 title: Potential Exploitation Attempt From Office Application
 id: 868955d9-697e-45d4-a3da-360cefd7c216
-status: experimental
+status: test
 description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
 references:
     - https://twitter.com/sbousseaden/status/1531653369546301440

rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml

@@ -1,6 +1,6 @@
 title: CVE-2021-41773 Exploitation Attempt
 id: 3007fec6-e761-4319-91af-e32e20ac43f5
-status: experimental
+status: test
 description: |
   Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.
   An attacker could use a path traversal attack to map URLs to files outside the expected document root.

rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml

@@ -1,6 +1,6 @@
 title: Log4j RCE CVE-2021-44228 in Fields
 id: 9be472ed-893c-4ec0-94da-312d2765f654
-status: experimental
+status: test
 description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
 references:
     - https://www.lunasec.io/docs/blog/log4j-zero-day/

rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml

@@ -1,6 +1,6 @@
 title: Exchange ProxyShell Pattern
 id: 23eee45e-933b-49f9-ae1b-df706d2d52ef
-status: experimental
+status: test
 description: Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)
 references:
     - https://youtu.be/5mqid-7zp8k?t=2231

rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml

@@ -1,6 +1,6 @@
 title: Potential Devil Bait Related Indicator
 id: 93d5f1b4-36df-45ed-8680-f66f242b8415
-status: experimental
+status: test
 description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf

rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml

@@ -3,7 +3,7 @@ id: e8954be4-b2b8-4961-be18-da1a5bda709c
 related:
     - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
       type: derived
-status: experimental
+status: test
 description: Detects specific process behavior observed with Devil Bait samples
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml

@@ -1,6 +1,6 @@
 title: Goofy Guineapig Backdoor IOC
 id: f0bafe60-1240-4798-9e60-4364b97e6bad
-status: experimental
+status: test
 description: Detects malicious indicators seen used by the Goofy Guineapig malware
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml

@@ -1,6 +1,6 @@
 title: Potential Goofy Guineapig Backdoor Activity
 id: 477a5ed3-a374-4282-9f3b-ed94e159a108
-status: experimental
+status: test
 description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml

@@ -1,6 +1,6 @@
 title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly
 id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc
-status: experimental
+status: test
 description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml

@@ -1,6 +1,6 @@
 title: Goofy Guineapig Backdoor Potential C2 Communication
 id: 4f573bb6-701a-4b8d-91db-87ae106e9a61
-status: experimental
+status: test
 description: Detects potential C2 communication related to Goofy Guineapig backdoor
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml

@@ -1,6 +1,6 @@
 title: Goofy Guineapig Backdoor Service Creation
 id: 8c15dd74-9570-4f48-80b2-29996fd91ee6
-status: experimental
+status: test
 description: Detects service creation persistence used by the Goofy Guineapig backdoor
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 # Process Creation
       type: similar
-status: experimental
+status: test
 description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
 references:
     - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel

rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml

@@ -1,6 +1,6 @@
 title: Small Sieve Malware File Indicator Creation
 id: 39466c42-c189-476a-989f-8cdb135c163a
-status: experimental
+status: test
 description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf

rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml

@@ -1,6 +1,6 @@
 title: Small Sieve Malware Potential C2 Communication
 id: b0422664-37a4-4e78-949a-4a139309eaf0
-status: experimental
+status: test
 description: Detects potential C2 communication related to Small Sieve malware
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-21554 QueueJumper Exploitation
 id: 53207cc2-0745-4c19-bc72-80be1cc16b3f
-status: experimental
+status: test
 description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
 references:
     - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/

rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2022-21587 Exploitation Attempt
 id: d033cb8a-8669-4a8e-a974-48d4185a8503
-status: experimental
+status: test
 description: Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
 references:
     - https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/

rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2022-26809 Exploitation Attempt
 id: a7cd7306-df8b-4398-b711-6f3e4935cf16
-status: experimental
+status: test
 description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
 references:
     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809

rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml

@@ -1,6 +1,6 @@
 title: Zimbra Collaboration Suite Email Server Unauthenticated RCE
 id: dd218fb6-4d02-42dc-85f0-a0a376072efd
-status: experimental
+status: test
 description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
 references:
     - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/

rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2022-29072 Exploitation Attempt
 id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3
-status: experimental
+status: test
 description: |
     Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.
     7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.

rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml

@@ -1,6 +1,6 @@
 title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
 id: fcf1101d-07c9-49b2-ad81-7e421ff96d80
-status: experimental
+status: test
 description: |
     Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656
     VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.

rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml

@@ -1,6 +1,6 @@
 title: CVE-2022-31659 VMware Workspace ONE Access RCE
 id: efdb2003-a922-48aa-8f37-8b80021a9706
-status: experimental
+status: test
 description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
 references:
     - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd

rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml

@@ -1,6 +1,6 @@
 title: Apache Spark Shell Command Injection - Weblogs
 id: 1a9a04fd-02d1-465c-abad-d733fd409f9c
-status: experimental
+status: test
 description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
 references:
     - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py

rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml

@@ -1,6 +1,6 @@
 title: Atlassian Bitbucket Command Injection Via Archive API
 id: 65c0a0ab-d675-4441-bd6b-d3db226a2685
-status: experimental
+status: test
 description: Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
 references:
     - https://twitter.com/_0xf4n9x_/status/1572052954538192901

rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
 id: 1b2eeb27-949b-4704-8bfa-d8e5cfa045a1
-status: experimental
+status: test
 description: Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877
 references:
     - https://seclists.org/fulldisclosure/2023/Jan/1

rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2022-46169 Exploitation Attempt
 id: 738cb115-881f-4df3-82cc-56ab02fc5192
-status: experimental
+status: test
 description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
 references:
     - https://github.com/0xf4n9x/CVE-2022-46169

rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml

@@ -1,6 +1,6 @@
 title: Potential OWASSRF Exploitation Attempt - Webserver
 id: 181f49fa-0b21-4665-a98c-a57025ebb8c7
-status: experimental
+status: test
 description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
 references:
     - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml

@@ -1,6 +1,6 @@
 title: OWASSRF Exploitation Attempt Using Public POC - Webserver
 id: 92d78c63-5a5c-4c40-9b60-463810ffb082
-status: experimental
+status: test
 description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
 references:
     - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml

@@ -1,6 +1,6 @@
 title: BlueSky Ransomware Artefacts
 id: eee8311f-a752-44f0-bf2f-6b007db16300
-status: experimental
+status: test
 description: Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.
 references:
     - https://unit42.paloaltonetworks.com/bluesky-ransomware/

rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml

@@ -1,6 +1,6 @@
 title: Potential Raspberry Robin Dot Ending File
 id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a
-status: experimental
+status: test
 description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
 author: Nasreddine Bencherchali (Nextron Systems)
 references:

rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml

@@ -1,6 +1,6 @@
 title: MERCURY APT Activity
 id: a62298a3-1fe0-422f-9a68-ffbcbc5a123d
-status: experimental
+status: test
 description: Detects suspicious command line patterns seen being used by MERCURY APT
 references:
     - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/

rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-2283 Exploitation
 id: 8b244735-5833-4517-a45b-28d8c63924c0
-status: experimental
+status: test
 description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
 references:
     - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20

rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml

@@ -1,6 +1,6 @@
 title: CVE-2023-23397 Exploitation Attempt
 id: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c
-status: experimental
+status: test
 description: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
 author: Robert Lee @quantum_cookie
 date: 2023/03/16

rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-23397 Exploitation Attempt - SMB
 id: de96b824-02b0-4241-9356-7e9b47f04bac
-status: experimental
+status: test
 description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
 references:
     - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-23752 Exploitation Attempt
 id: 0e1ebc5a-15d0-4bf6-8199-b2535397433a
-status: experimental
+status: test
 description: Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla
 references:
     - https://xz.aliyun.com/t/12175

rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-25157 Exploitation Attempt
 id: c0341543-5ed0-4475-aabc-7eea8c52aa66
-status: experimental
+status: test
 description: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
 references:
     - https://github.com/win3zz/CVE-2023-25157

rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-25717 Exploitation Attempt
 id: 043c1609-0e32-4462-a6f2-5a0c2da3fafe
-status: experimental
+status: test
 description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
 references:
     - https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/

rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml

@@ -1,6 +1,6 @@
 title: Potential MOVEit Transfer CVE-2023-34362 Exploitation
 id: c3b2a774-3152-4989-83c1-7afc48fd1599
-status: experimental
+status: test
 description: Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
 references:
     - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/

rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml

@@ -1,6 +1,6 @@
 title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE
 id: 6d5b8176-d87d-4402-8af4-53aee9db7b5d
-status: experimental
+status: test
 description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
 references:
     - https://github.com/SigmaHQ/sigma/pull/3946

rules-emerging-threats/2023/Exploits/win_msmq_corrupted_packet.yml

@@ -1,6 +1,6 @@
 title: MSMQ Corrupted Packet Encountered
 id: ae94b10d-fee9-4767-82bb-439b309d5a27
-status: experimental
+status: test
 description: Detects corrupted packets sent to the MSMQ service. Could potentially be a sign of CVE-2023-21554 exploitation
 references:
     - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/

rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_renamed_cmd.yml

@@ -1,6 +1,6 @@
 title: Potential COLDSTEEL RAT File Indicators
 id: c708a93f-46b4-4674-a5b8-54aa6219c5fa
-status: experimental
+status: test
 description: Detects the creation of a file named "dllhost.exe" in the "C:\users\public\Documents\" directory. Seen being used by the COLDSTEEL RAT in some of its variants.
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf

rules-emerging-threats/2023/Malware/COLDSTEEL/file_event_win_malware_coldsteel_service_dll_creation.yml

@@ -1,6 +1,6 @@
 title: Potential COLDSTEEL Persistence Service DLL Creation
 id: 1fea93a2-1524-4a3c-9828-3aa0c2414e27
-status: experimental
+status: test
 description: Detects the creation of a file in a specific location and with a specific name related to COLDSTEEL RAT
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf

rules-emerging-threats/2023/Malware/COLDSTEEL/image_load_malware_coldsteel_persistence_service_dll.yml

@@ -1,6 +1,6 @@
 title: Potential COLDSTEEL Persistence Service DLL Load
 id: 1d7a57da-02e0-4f7f-92b1-c7b486ccfed5
-status: experimental
+status: test
 description: |
     Detects a suspicious DLL load by an "svchost" process based on location and name that might be related to ColdSteel RAT. This DLL location and name has been seen used by ColdSteel as the service DLL for its persistence mechanism
 references:

rules-emerging-threats/2023/Malware/COLDSTEEL/proc_creation_win_malware_coldsteel_anonymous_process.yml

@@ -1,6 +1,6 @@
 title: COLDSTEEL RAT Anonymous User Process Execution
 id: e01b6eb5-1eb4-4465-a165-85d40d874add
-status: experimental
+status: test
 description: Detects the creation of a process executing as user called "ANONYMOUS" seen used by the "MileStone2016" variant of COLDSTEEL
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/cold-steel/NCSC-MAR-Cold-Steel.pdf