Promote Older Rules From experimental to test

rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml

@@ -1,6 +1,6 @@
 title: Rejetto HTTP File Server RCE
 id: a133193c-2daa-4a29-8022-018695fcf0ae
-status: experimental
+status: test
 description: Detects attempts to exploit a Rejetto HTTP File Server (HFS) via CVE-2014-6287
 references:
     - https://vk9-sec.com/hfs-code-execution-cve-2014-6287/

rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml

@@ -7,7 +7,7 @@ related:
       type: similar
     - id: ce6e34ca-966d-41c9-8d93-5b06c8b97a06 # ProcessCreation
       type: similar
-status: experimental
+status: test
 description: Detects OilRig schedule task persistence as reported by Nyotron in their March 2018 report
 references:
     - https://web.archive.org/web/20180402134442/https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018C.pdf

rules-emerging-threats/2019/TA/EmpireMonkey/proc_creation_win_apt_empiremonkey.yml

@@ -1,6 +1,6 @@
 title: Potential EmpireMonkey Activity
 id: 10152a7b-b566-438f-a33c-390b607d1c8d
-status: experimental
+status: test
 description: Detects potential EmpireMonkey APT activity
 references:
     - https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/

rules-emerging-threats/2021/Exploits/CVE-2021-26084/web_cve_2021_26084_confluence_rce_exploit.yml

@@ -1,7 +1,7 @@
 title: Potential CVE-2021-26084 Exploitation Attempt
 id: 38825179-3c78-4fed-b222-2e2166b926b1
 description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection
-status: experimental
+status: test
 references:
     - https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md
     - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md

rules-emerging-threats/2021/Exploits/CVE-2021-27905/web_cve_2021_27905_apache_solr_exploit.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2021-27905 Exploitation Attempt
 id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3
-status: experimental
+status: test
 description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1.
 references:
     - https://twitter.com/Al1ex4/status/1382981479727128580

rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml

@@ -1,6 +1,6 @@
 title: Suspicious Word Cab File Write CVE-2021-40444
 id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
-status: experimental
+status: test
 description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
 references:
     - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20

rules-emerging-threats/2021/Exploits/CVE-2021-40444/proc_creation_win_exploit_cve_2021_40444_office_directory_traversal.yml

@@ -1,6 +1,6 @@
 title: Potential Exploitation Attempt From Office Application
 id: 868955d9-697e-45d4-a3da-360cefd7c216
-status: experimental
+status: test
 description: Detects Office applications executing a child process that includes directory traversal patterns. This could be an attempt to exploit CVE-2022-30190 (MSDT RCE) or CVE-2021-40444 (MSHTML RCE)
 references:
     - https://twitter.com/sbousseaden/status/1531653369546301440

rules-emerging-threats/2021/Exploits/CVE-2021-41773/web_cve_2021_41773_apache_path_traversal.yml

@@ -1,6 +1,6 @@
 title: CVE-2021-41773 Exploitation Attempt
 id: 3007fec6-e761-4319-91af-e32e20ac43f5
-status: experimental
+status: test
 description: |
   Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49.
   An attacker could use a path traversal attack to map URLs to files outside the expected document root.

rules-emerging-threats/2021/Exploits/CVE-2021-44228/web_cve_2021_44228_log4j_fields.yml

@@ -1,6 +1,6 @@
 title: Log4j RCE CVE-2021-44228 in Fields
 id: 9be472ed-893c-4ec0-94da-312d2765f654
-status: experimental
+status: test
 description: Detects exploitation attempt against log4j RCE vulnerability reported as CVE-2021-44228 in different header fields found in web server logs (Log4Shell)
 references:
     - https://www.lunasec.io/docs/blog/log4j-zero-day/

rules-emerging-threats/2021/Exploits/ProxyShell-Exploit/web_exchange_proxyshell.yml

@@ -1,6 +1,6 @@
 title: Exchange ProxyShell Pattern
 id: 23eee45e-933b-49f9-ae1b-df706d2d52ef
-status: experimental
+status: test
 description: Detects URL patterns that could be found in ProxyShell exploitation attempts against Exchange servers (failed and successful)
 references:
     - https://youtu.be/5mqid-7zp8k?t=2231

rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml

@@ -1,6 +1,6 @@
 title: CVE-2021-31979 CVE-2021-33771 Exploits
 id: 32b5db62-cb5f-4266-9639-0fa48376ac00
-status: experimental
+status: test
 description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
 references:
     - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/

rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml

@@ -1,6 +1,6 @@
 title: Potential Devil Bait Related Indicator
 id: 93d5f1b4-36df-45ed-8680-f66f242b8415
-status: experimental
+status: test
 description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf

rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml

@@ -3,7 +3,7 @@ id: e8954be4-b2b8-4961-be18-da1a5bda709c
 related:
     - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
       type: derived
-status: experimental
+status: test
 description: Detects specific process behavior observed with Devil Bait samples
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf

rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml

@@ -1,6 +1,6 @@
 title: Devil Bait Potential C2 Communication Traffic
 id: 514c50c9-373a-46e5-9012-f0327c526c8f
-status: experimental
+status: test
 description: Detects potential C2 communication related to Devil Bait malware
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml

@@ -1,6 +1,6 @@
 title: Goofy Guineapig Backdoor IOC
 id: f0bafe60-1240-4798-9e60-4364b97e6bad
-status: experimental
+status: test
 description: Detects malicious indicators seen used by the Goofy Guineapig malware
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml

@@ -1,6 +1,6 @@
 title: Potential Goofy Guineapig Backdoor Activity
 id: 477a5ed3-a374-4282-9f3b-ed94e159a108
-status: experimental
+status: test
 description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml

@@ -1,6 +1,6 @@
 title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly
 id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc
-status: experimental
+status: test
 description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml

@@ -1,6 +1,6 @@
 title: Goofy Guineapig Backdoor Potential C2 Communication
 id: 4f573bb6-701a-4b8d-91db-87ae106e9a61
-status: experimental
+status: test
 description: Detects potential C2 communication related to Goofy Guineapig backdoor
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml

@@ -1,6 +1,6 @@
 title: Goofy Guineapig Backdoor Service Creation
 id: 8c15dd74-9570-4f48-80b2-29996fd91ee6
-status: experimental
+status: test
 description: Detects service creation persistence used by the Goofy Guineapig backdoor
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml

@@ -5,7 +5,7 @@ related:
       type: similar
     - id: b2400ffb-7680-47c0-b08a-098a7de7e7a9 # Process Creation
       type: similar
-status: experimental
+status: test
 description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report
 references:
     - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel

rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml

@@ -1,6 +1,6 @@
 title: Small Sieve Malware File Indicator Creation
 id: 39466c42-c189-476a-989f-8cdb135c163a
-status: experimental
+status: test
 description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf

rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml

@@ -1,6 +1,6 @@
 title: Small Sieve Malware Potential C2 Communication
 id: b0422664-37a4-4e78-949a-4a139309eaf0
-status: experimental
+status: test
 description: Detects potential C2 communication related to Small Sieve malware
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml

@@ -1,6 +1,6 @@
 title: Small Sieve Malware Registry Persistence
 id: 65c6e3c1-fb28-4c03-a51e-84919d8185f1
-status: experimental
+status: test
 description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf

rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-21554 QueueJumper Exploitation
 id: 53207cc2-0745-4c19-bc72-80be1cc16b3f
-status: experimental
+status: test
 description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
 references:
     - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/

rules-emerging-threats/2022/Exploits/CVE-2022-21587/web_cve_2022_21587_oracle_ebs.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2022-21587 Exploitation Attempt
 id: d033cb8a-8669-4a8e-a974-48d4185a8503
-status: experimental
+status: test
 description: Detects potential exploitation attempts of CVE-2022-21587 an arbitrary file upload vulnerability impacting Oracle E-Business Suite (EBS). CVE-2022-21587 can lead to unauthenticated remote code execution.
 references:
     - https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-observed-exploitation-of-oracle-e-business-suite-vulnerability/

rules-emerging-threats/2022/Exploits/CVE-2022-26809/proc_creation_win_exploit_cve_2022_26809_rpcss_child_process_anomaly.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2022-26809 Exploitation Attempt
 id: a7cd7306-df8b-4398-b711-6f3e4935cf16
-status: experimental
+status: test
 description: Detects suspicious remote procedure call (RPC) service anomalies based on the spawned sub processes (long shot to detect the exploitation of vulnerabilities like CVE-2022-26809)
 references:
     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809

rules-emerging-threats/2022/Exploits/CVE-2022-27925/web_cve_2022_27925_exploit.yml

@@ -1,6 +1,6 @@
 title: Zimbra Collaboration Suite Email Server Unauthenticated RCE
 id: dd218fb6-4d02-42dc-85f0-a0a376072efd
-status: experimental
+status: test
 description: Detects an attempt to leverage the vulnerable servlet "mboximport" for an unauthenticated remote command injection
 references:
     - https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/

rules-emerging-threats/2022/Exploits/CVE-2022-29072/proc_creation_win_exploit_cve_2022_29072_7zip.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2022-29072 Exploitation Attempt
 id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ee3
-status: experimental
+status: test
 description: |
     Detects potential exploitation attempts of CVE-2022-29072, a 7-Zip privilege escalation and command execution vulnerability.
     7-Zip version 21.07 and earlier on Windows allows privilege escalation (CVE-2022-29072) and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow.

rules-emerging-threats/2022/Exploits/CVE-2022-31656/web_cve_2022_31656_auth_bypass.yml

@@ -1,6 +1,6 @@
 title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass
 id: fcf1101d-07c9-49b2-ad81-7e421ff96d80
-status: experimental
+status: test
 description: |
     Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656
     VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users.

rules-emerging-threats/2022/Exploits/CVE-2022-31659/web_cve_2022_31659_vmware_rce.yml

@@ -1,6 +1,6 @@
 title: CVE-2022-31659 VMware Workspace ONE Access RCE
 id: efdb2003-a922-48aa-8f37-8b80021a9706
-status: experimental
+status: test
 description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659
 references:
     - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd

rules-emerging-threats/2022/Exploits/CVE-2022-33891/web_cve_2022_33891_spark_shell_command_injection.yml

@@ -1,6 +1,6 @@
 title: Apache Spark Shell Command Injection - Weblogs
 id: 1a9a04fd-02d1-465c-abad-d733fd409f9c
-status: experimental
+status: test
 description: Detects attempts to exploit an apache spark server via CVE-2014-6287 from a weblogs perspective
 references:
     - https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py

rules-emerging-threats/2022/Exploits/CVE-2022-36804/web_cve_2022_36804_atlassian_bitbucket_command_injection.yml

@@ -1,6 +1,6 @@
 title: Atlassian Bitbucket Command Injection Via Archive API
 id: 65c0a0ab-d675-4441-bd6b-d3db226a2685
-status: experimental
+status: test
 description: Detects attempts to exploit the Atlassian Bitbucket Command Injection CVE-2022-36804
 references:
     - https://twitter.com/_0xf4n9x_/status/1572052954538192901

rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml

@@ -1,6 +1,6 @@
 title: Suspicious Sysmon as Execution Parent
 id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3
-status: experimental
+status: test
 description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
 references:
     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120

rules-emerging-threats/2022/Exploits/CVE-2022-44877/web_cve_2022_44877_exploitation_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877
 id: 1b2eeb27-949b-4704-8bfa-d8e5cfa045a1
-status: experimental
+status: test
 description: Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877
 references:
     - https://seclists.org/fulldisclosure/2023/Jan/1

rules-emerging-threats/2022/Exploits/CVE-2022-46169/web_cve_2022_46169_cacti_exploitation_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2022-46169 Exploitation Attempt
 id: 738cb115-881f-4df3-82cc-56ab02fc5192
-status: experimental
+status: test
 description: Detects potential exploitation attempts that target the Cacti Command Injection CVE-2022-46169
 references:
     - https://github.com/0xf4n9x/CVE-2022-46169

rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_exploitation.yml

@@ -1,6 +1,6 @@
 title: Potential OWASSRF Exploitation Attempt - Webserver
 id: 181f49fa-0b21-4665-a98c-a57025ebb8c7
-status: experimental
+status: test
 description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint
 references:
     - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

rules-emerging-threats/2022/Exploits/OWASSRF-Exploit/web_exchange_owassrf_poc_exploitation.yml

@@ -1,6 +1,6 @@
 title: OWASSRF Exploitation Attempt Using Public POC - Webserver
 id: 92d78c63-5a5c-4c40-9b60-463810ffb082
-status: experimental
+status: test
 description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
 references:
     - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml

@@ -1,6 +1,6 @@
 title: BlueSky Ransomware Artefacts
 id: eee8311f-a752-44f0-bf2f-6b007db16300
-status: experimental
+status: test
 description: Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.
 references:
     - https://unit42.paloaltonetworks.com/bluesky-ransomware/

rules-emerging-threats/2022/Malware/Raspberry-Robin/proc_creation_win_malware_raspberry_robin_single_dot_ending_file.yml

@@ -1,6 +1,6 @@
 title: Potential Raspberry Robin Dot Ending File
 id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a
-status: experimental
+status: test
 description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin
 author: Nasreddine Bencherchali (Nextron Systems)
 references:

rules-emerging-threats/2022/TA/MERCURY/proc_creation_win_apt_mercury.yml

@@ -1,6 +1,6 @@
 title: MERCURY APT Activity
 id: a62298a3-1fe0-422f-9a68-ffbcbc5a123d
-status: experimental
+status: test
 description: Detects suspicious command line patterns seen being used by MERCURY APT
 references:
     - https://www.microsoft.com/security/blog/2022/08/25/mercury-leveraging-log4j-2-vulnerabilities-in-unpatched-systems-to-target-israeli-organizations/

rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml

@@ -1,6 +1,6 @@
 title: Exploitation Indicators Of CVE-2023-20198
 id: 2ece8816-b7a0-4d9b-b0e8-ae7ad18bc02b
-status: experimental
+status: test
 description: Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.
 references:
     - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-2283 Exploitation
 id: 8b244735-5833-4517-a45b-28d8c63924c0
-status: experimental
+status: test
 description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
 references:
     - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20

rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml

@@ -1,6 +1,6 @@
 title: Outlook Task/Note Reminder Received
 id: fc06e655-d98c-412f-ac76-05c2698b1cb2
-status: experimental
+status: test
 description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
 references:
     - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_security_exploit_cve_2023_23397_outlook_remote_file_query.yml

@@ -1,6 +1,6 @@
 title: CVE-2023-23397 Exploitation Attempt
 id: 73c59189-6a6d-4b9f-a748-8f6f9bbed75c
-status: experimental
+status: test
 description: Detects outlook initiating connection to a WebDAV or SMB share, which could be a sign of CVE-2023-23397 exploitation.
 author: Robert Lee @quantum_cookie
 date: 2023/03/16

rules-emerging-threats/2023/Exploits/CVE-2023-23397/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-23397 Exploitation Attempt - SMB
 id: de96b824-02b0-4241-9356-7e9b47f04bac
-status: experimental
+status: test
 description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397.
 references:
     - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

rules-emerging-threats/2023/Exploits/CVE-2023-23752/web_cve_2023_23752_joomla_exploit_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-23752 Exploitation Attempt
 id: 0e1ebc5a-15d0-4bf6-8199-b2535397433a
-status: experimental
+status: test
 description: Detects the potential exploitation attempt of CVE-2023-23752 an Improper access check, in web service endpoints in Joomla
 references:
     - https://xz.aliyun.com/t/12175

rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-25157 Exploitation Attempt
 id: c0341543-5ed0-4475-aabc-7eea8c52aa66
-status: experimental
+status: test
 description: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
 references:
     - https://github.com/win3zz/CVE-2023-25157

rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-25717 Exploitation Attempt
 id: 043c1609-0e32-4462-a6f2-5a0c2da3fafe
-status: experimental
+status: test
 description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
 references:
     - https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/

rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
 id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
-status: experimental
+status: test
 description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
 references:
     - https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363