chore: promote older rules status from experimental to test

rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml

@@ -1,6 +1,6 @@
 title: Rejetto HTTP File Server RCE
 id: a133193c-2daa-4a29-8022-018695fcf0ae
-status: experimental
+status: test
 description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
 references:
     - https://vk9-sec.com/hfs-code-execution-cve-2014-6287/

rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml

@@ -1,6 +1,6 @@
 title: Potential Exploitation Attempt From Office Application
 id: 868955d9-697e-45d4-a3da-360cefd7c216
-status: experimental
+status: test
 description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
 references:
     - https://twitter.com/sbousseaden/status/1531653369546301440

rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml

@@ -1,6 +1,6 @@
 title: CVE-2021-41773 Exploitation Attempt
 id: 3007fec6-e761-4319-91af-e32e20ac43f5
-status: experimental
+status: test
 description: |
   Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.
   An attacker could use a path traversal attack to map URLs to files outside the expected document root.

rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml

@@ -1,6 +1,6 @@
 title: Log4j RCE CVE-2021-44228 in Fields
 id: 9be472ed-893c-4ec0-94da-312d2765f654
-status: experimental
+status: test
 description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
 references:
     - https://www.lunasec.io/docs/blog/log4j-zero-day/

rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml

@@ -1,6 +1,6 @@
 title: Exchange ProxyShell Pattern
 id: 23eee45e-933b-49f9-ae1b-df706d2d52ef
-status: experimental
+status: test
 description: Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)
 references:
     - https://youtu.be/5mqid-7zp8k?t=2231

rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2022-26809 Exploitation Attempt
 id: a7cd7306-df8b-4398-b711-6f3e4935cf16
-status: experimental
+status: test
 description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
 references:
     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809

rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml

@@ -1,6 +1,6 @@
 title: Zimbra Collaboration Suite Email Server Unauthenticated RCE
 id: dd218fb6-4d02-42dc-85f0-a0a376072efd
-status: experimental
+status: test
 description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
 references:
     - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/

rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml

@@ -1,6 +1,6 @@
 title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
 id: fcf1101d-07c9-49b2-ad81-7e421ff96d80
-status: experimental
+status: test
 description: |
     Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656
     VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.

rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml

@@ -1,6 +1,6 @@
 title: CVE-2022-31659 VMware Workspace ONE Access RCE
 id: efdb2003-a922-48aa-8f37-8b80021a9706
-status: experimental
+status: test
 description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
 references:
     - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd

rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml

@@ -1,6 +1,6 @@
 title: Apache Spark Shell Command Injection - Weblogs
 id: 1a9a04fd-02d1-465c-abad-d733fd409f9c
-status: experimental
+status: test
 description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
 references:
     - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py

rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml

@@ -1,6 +1,6 @@
 title: Atlassian Bitbucket Command Injection Via Archive API
 id: 65c0a0ab-d675-4441-bd6b-d3db226a2685
-status: experimental
+status: test
 description: Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
 references:
     - https://twitter.com/_0xf4n9x_/status/1572052954538192901

rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
 id: 1b2eeb27-949b-4704-8bfa-d8e5cfa045a1
-status: experimental
+status: test
 description: Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877
 references:
     - https://seclists.org/fulldisclosure/2023/Jan/1

rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2022-46169 Exploitation Attempt
 id: 738cb115-881f-4df3-82cc-56ab02fc5192
-status: experimental
+status: test
 description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
 references:
     - https://github.com/0xf4n9x/CVE-2022-46169

rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml

@@ -1,6 +1,6 @@
 title: Potential OWASSRF Exploitation Attempt - Webserver
 id: 181f49fa-0b21-4665-a98c-a57025ebb8c7
-status: experimental
+status: test
 description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
 references:
     - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml

@@ -1,6 +1,6 @@
 title: OWASSRF Exploitation Attempt Using Public POC - Webserver
 id: 92d78c63-5a5c-4c40-9b60-463810ffb082
-status: experimental
+status: test
 description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
 references:
     - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

rules-emerging-threats/2023/Exploits/Windows-Server-Unknown-Exploit/proc_creation_win_exploit_other_win_server_undocumented_rce.yml

@@ -1,6 +1,6 @@
 title: Potential Exploitation Attempt Of Undocumented WindowsServer RCE
 id: 6d5b8176-d87d-4402-8af4-53aee9db7b5d
-status: experimental
+status: test
 description: Detects potential exploitation attempt of undocumented Windows Server Pre Auth Remote Code Execution (RCE)
 references:
     - https://github.com/SigmaHQ/sigma/pull/3946

rules/category/database/db_anomalous_query.yml

@@ -1,6 +1,6 @@
 title: Suspicious SQL Query
 id: d84c0ded-edd7-4123-80ed-348bb3ccc4d5
-status: experimental
+status: test
 description: Detects suspicious SQL query keywrods that are often used during recon, exfiltration or destructive activities. Such as dropping tables and selecting wildcard fields
 author: '@juju4'
 date: 2022/12/27

rules/cloud/aws/cloudtrail/aws_delete_identity.yml

@@ -1,6 +1,6 @@
 title: SES Identity Has Been Deleted
 id: 20f754db-d025-4a8f-9d74-e0037e999a9a
-status: experimental
+status: test
 description: Detects an instance of an SES identity being deleted via the "DeleteIdentity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities
 references:
     - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/

rules/cloud/azure/signin_logs/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml

@@ -1,6 +1,6 @@
 title: Suspicious SignIns From A Non Registered Device
 id: 572b12d4-9062-11ed-a1eb-0242ac120002
-status: experimental
+status: test
 description: Detects risky authencaition from a non AD registered device without MFA being required.
 references:
     - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in

rules/cloud/github/github_delete_action_invoked.yml

@@ -1,6 +1,6 @@
 title: Github Delete Action Invoked
 id: 16a71777-0b2e-4db7-9888-9d59cb75200b
-status: experimental
+status: test
 description: Detects delete action in the Github audit logs for codespaces, environment, project and repo.
 author: Muhammad Faisal
 date: 2023/01/19

rules/cloud/github/github_disable_high_risk_configuration.yml

@@ -1,6 +1,6 @@
 title: Github High Risk Configuration Disabled
 id: 8622c92d-c00e-463c-b09d-fd06166f6794
-status: experimental
+status: test
 description: Detects when a user disables a critical security feature for an organization.
 author: Muhammad Faisal
 date: 2023/01/29

rules/cloud/github/github_disabled_outdated_dependency_or_vulnerability.yml

@@ -1,6 +1,6 @@
 title: Outdated Dependency Or Vulnerability Alert Disabled
 id: 34e1c7d4-0cd5-419d-9f1b-1dad3f61018d
-status: experimental
+status: test
 description: |
     Dependabot performs a scan to detect insecure dependencies, and sends Dependabot alerts.
     This rule detects when an organization owner disables Dependabot alerts private repositories or Dependabot security updates for all repositories.

rules/cloud/github/github_new_org_member.yml

@@ -1,6 +1,6 @@
 title: New Github Organization Member Added
 id: 3908d64a-3c06-4091-b503-b3a94424533b
-status: experimental
+status: test
 description: Detects when a new member is added or invited to a github organization.
 author: Muhammad Faisal
 date: 2023/01/29

rules/cloud/github/github_new_secret_created.yml

@@ -1,6 +1,6 @@
 title: Github New Secret Created
 id: f9405037-bc97-4eb7-baba-167dad399b83
-status: experimental
+status: test
 description: Detects when a user creates action secret for the organization, environment, codespaces or repository.
 author: Muhammad Faisal
 date: 2023/01/20

rules/cloud/github/github_outside_collaborator_detected.yml

@@ -1,6 +1,6 @@
 title: Github Outside Collaborator Detected
 id: eaa9ac35-1730-441f-9587-25767bde99d7
-status: experimental
+status: test
 description: |
     Detects when an organization member or an outside collaborator is added to or removed from a project board or has their permission level changed or when an owner removes an outside collaborator from an organization or when two-factor authentication is required in an organization and an outside collaborator does not use 2FA or disables 2FA.
 author: Muhammad Faisal

rules/cloud/github/github_self_hosted_runner_changes_detected.yml

@@ -1,6 +1,6 @@
 title: Github Self Hosted Runner Changes Detected
 id: f8ed0e8f-7438-4b79-85eb-f358ef2fbebd
-status: experimental
+status: test
 description: |
     A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com.
     This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected,

rules/cloud/okta/okta_admin_role_assignment_created.yml

@@ -1,6 +1,6 @@
 title: Okta Admin Role Assignment Created
 id: 139bdd4b-9cd7-49ba-a2f4-744d0a8f5d8c
-status: experimental
+status: test
 description: Detects when a new admin role assignment is created. Which could be a sign of privilege escalation or persistence
 references:
     - https://developer.okta.com/docs/reference/api/system-log/

rules/linux/auditd/lnx_auditd_hidden_binary_execution.yml

@@ -3,7 +3,7 @@ id: 9e1bef8d-0fff-46f6-8465-9aa54e128c1e
 related:
     - id: d08722cd-3d09-449a-80b4-83ea2d9d4616
       type: similar
-status: experimental
+status: test
 description: Detects calls to hidden files or files located in hidden directories in NIX systems.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md

rules/linux/builtin/auth/lnx_auth_pwnkit_local_privilege_escalation.yml

@@ -1,6 +1,6 @@
 title: PwnKit Local Privilege Escalation
 id: 0506a799-698b-43b4-85a1-ac4c84c720e9
-status: experimental
+status: test
 description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs
 references:
     - https://twitter.com/wdormann/status/1486161836961579020

rules/linux/builtin/lnx_nimbuspwn_privilege_escalation_exploit.yml

@@ -1,6 +1,6 @@
 title: Nimbuspwn Exploitation
 id: 7ba05b43-adad-4c02-b5e9-c8c35cdf9fa8
-status: experimental
+status: test
 description: Detects exploitation of Nimbuspwn privilege escalation vulnerability (CVE-2022-29799 and CVE-2022-29800)
 references:
     - https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/

rules/linux/builtin/lnx_potential_susp_ebpf_activity.yml

@@ -1,6 +1,6 @@
 title: Potential Suspicious BPF Activity - Linux
 id: 0fadd880-6af3-4610-b1e5-008dc3a11b8a
-status: experimental
+status: test
 description: Detects the presence of "bpf_probe_write_user" BPF helper-generated warning messages. Which could be a sign of suspicious eBPF activity on the system.
 references:
     - https://redcanary.com/blog/ebpf-malware/

rules/linux/builtin/lnx_susp_dev_tcp.yml

@@ -1,6 +1,6 @@
 title: Suspicious Use of /dev/tcp
 id: 6cc5fceb-9a71-4c23-aeeb-963abe0b279c
-status: experimental
+status: test
 description: Detects suspicious command with /dev/tcp
 references:
     - https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/

rules/linux/file_event/file_event_lnx_persistence_sudoers_files.yml

@@ -1,6 +1,6 @@
 title: Persistence Via Sudoers Files
 id: ddb26b76-4447-4807-871f-1b035b2bfa5d
-status: experimental
+status: test
 description: Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.
 references:
     - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh

rules/linux/file_event/file_event_lnx_triple_cross_rootkit_lock_file.yml

@@ -1,6 +1,6 @@
 title: Triple Cross eBPF Rootkit Default LockFile
 id: c0239255-822c-4630-b7f1-35362bcb8f44
-status: experimental
+status: test
 description: Detects the creation of the file "rootlog" which is used by the TripleCross rootkit as a way to check if the backdoor is already running.
 references:
     - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L33

rules/linux/file_event/file_event_lnx_triple_cross_rootkit_persistence.yml

@@ -1,6 +1,6 @@
 title: Triple Cross eBPF Rootkit Default Persistence
 id: 1a2ea919-d11d-4d1e-8535-06cda13be20f
-status: experimental
+status: test
 description: Detects the creation of "ebpfbackdoor" files in both "cron.d" and "sudoers.d" directories. Which both are related to the TripleCross persistence method
 references:
     - https://github.com/h3xduck/TripleCross/blob/12629558b8b0a27a5488a0b98f1ea7042e76f8ab/apps/deployer.sh

rules/linux/process_creation/proc_creation_lnx_bpf_kprob_tracing_enabled.yml

@@ -1,6 +1,6 @@
 title: Enable BPF Kprobes Tracing
 id: 7692f583-bd30-4008-8615-75dab3f08a99
-status: experimental
+status: test
 description: Detects common command used to enable bpf kprobes tracing
 references:
     - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/

rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml

@@ -1,6 +1,6 @@
 title: Capabilities Discovery - Linux
 id: d8d97d51-122d-4cdd-9e2f-01b4b4933530
-status: experimental
+status: test
 description: Detects usage of "getcap" binary. This is often used during recon activity to determine potential binaries that can be abused as GTFOBins or other.
 references:
     - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes

rules/linux/process_creation/proc_creation_lnx_cp_passwd_or_shadow_tmp.yml

@@ -1,6 +1,6 @@
 title: Copy Passwd Or Shadow From TMP Path
 id: fa4aaed5-4fe0-498d-bbc0-08e3346387ba
-status: experimental
+status: test
 description: Detects when the file "passwd" or "shadow" is copied from tmp path
 references:
     - https://blogs.blackberry.com/

rules/linux/process_creation/proc_creation_lnx_disable_ufw.yml

@@ -1,6 +1,6 @@
 title: Ufw Force Stop Using Ufw-Init
 id: 84c9e83c-599a-458a-a0cb-0ecce44e807a
-status: experimental
+status: test
 description: Detects attempts to force stop the ufw using ufw-init
 references:
     - https://blogs.blackberry.com/

rules/linux/process_creation/proc_creation_lnx_groupdel.yml

@@ -1,6 +1,6 @@
 title: Group Has Been Deleted Via Groupdel
 id: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84
-status: experimental
+status: test
 description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks
 references:
     - https://linuxize.com/post/how-to-delete-group-in-linux/

rules/linux/process_creation/proc_creation_lnx_gtfobin_apt.yml

@@ -1,6 +1,6 @@
 title: Apt GTFOBin Abuse - Linux
 id: bb382fd5-b454-47ea-a264-1828e4c766d6
-status: experimental
+status: test
 description: Detects usage of "apt" and "apt-get" as a GTFOBin to execute and proxy command and binary execution
 references:
     - https://gtfobins.github.io/gtfobins/apt/

rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml

@@ -1,6 +1,6 @@
 title: Vim GTFOBin Abuse - Linux
 id: 7ab8f73a-fcff-428b-84aa-6a5ff7877dea
-status: experimental
+status: test
 description: Detects usage of "vim" and it's siblings as a GTFOBin to execute and proxy command and binary execution
 references:
     - https://gtfobins.github.io/gtfobins/vim/

rules/linux/process_creation/proc_creation_lnx_install_suspicioua_packages.yml

@@ -1,6 +1,6 @@
 title: Suspicious Package Installed - Linux
 id: 700fb7e8-2981-401c-8430-be58e189e741
-status: experimental
+status: test
 description: Detects installation of suspicious packages using system installation utilities
 references:
     - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt

rules/linux/process_creation/proc_creation_lnx_iptables_flush_ufw.yml

@@ -1,6 +1,6 @@
 title: Flush Iptables Ufw Chain
 id: 3be619f4-d9ec-4ea8-a173-18fdd01996ab
-status: experimental
+status: test
 description: Detect use of iptables to flush all firewall rules, tables and chains and allow all network traffic
 references:
     - https://blogs.blackberry.com/

rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml

@@ -1,6 +1,6 @@
 title: Mount Execution With Hidepid Parameter
 id: ec52985a-d024-41e3-8ff6-14169039a0b3
-status: experimental
+status: test
 description: Detects execution of the "mount" command with "hidepid" parameter to make invisible processes to other users from the system
 references:
     - https://blogs.blackberry.com/

rules/linux/process_creation/proc_creation_lnx_susp_find_execution.yml

@@ -3,7 +3,7 @@ id: 8344c0e5-5783-47cc-9cf9-a0f7fd03e6cf
 related:
     - id: 85de3a19-b675-4a51-bfc6-b11a5186c971
       type: similar
-status: experimental
+status: test
 description: Detects usage of "find" binary in a suspicious manner to perform discovery
 references:
     - https://github.com/SaiSathvik1/Linux-Privilege-Escalation-Notes

rules/linux/process_creation/proc_creation_lnx_susp_git_clone.yml

@@ -1,6 +1,6 @@
 title: Suspicious Git Clone - Linux
 id: cfec9d29-64ec-4a0f-9ffe-0fdb856d5446
-status: experimental
+status: test
 description: Detects execution of "git" in order to clone a remote repository that contain suspicious keywords which might be suspicious
 references:
     - https://gist.githubusercontent.com/MichaelKoczwara/12faba9c061c12b5814b711166de8c2f/raw/e2068486692897b620c25fde1ea258c8218fe3d3/history.txt

rules/linux/process_creation/proc_creation_lnx_touch_susp.yml

@@ -1,6 +1,6 @@
 title: Touch Suspicious Service File
 id: 31545105-3444-4584-bebf-c466353230d2
-status: experimental
+status: test
 description: Detects usage of the "touch" process in service file.
 references:
     - https://blogs.blackberry.com/

rules/linux/process_creation/proc_creation_lnx_userdel.yml

@@ -1,6 +1,6 @@
 title: User Has Been Deleted Via Userdel
 id: 08f26069-6f80-474b-8d1f-d971c6fedea0
-status: experimental
+status: test
 description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks
 references:
     - https://linuxize.com/post/how-to-delete-group-in-linux/