Promote Older Rules From experimental to test

rules-emerging-threats/2021/Exploits/CVE-2021-40444/file_event_win_exploit_cve_2021_40444.yml

@@ -1,6 +1,6 @@
 title: Suspicious Word Cab File Write CVE-2021-40444
 id: 60c0a111-787a-4e8a-9262-ee485f3ef9d5
-status: experimental
+status: test
 description: Detects file creation patterns noticeable during the exploitation of CVE-2021-40444
 references:
     - https://twitter.com/RonnyTNL/status/1436334640617373699?s=20

rules-emerging-threats/2021/Exploits/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml

@@ -1,6 +1,6 @@
 title: CVE-2021-31979 CVE-2021-33771 Exploits
 id: 32b5db62-cb5f-4266-9639-0fa48376ac00
-status: experimental
+status: test
 description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
 references:
     - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/

rules-emerging-threats/2021/Malware/Devil-Bait/file_event_win_malware_devil_bait_script_drop.yml

@@ -1,6 +1,6 @@
 title: Potential Devil Bait Related Indicator
 id: 93d5f1b4-36df-45ed-8680-f66f242b8415
-status: experimental
+status: test
 description: Detects the creation of ".xml" and ".txt" files in folders of the "\AppData\Roaming\Microsoft" directory by uncommon processes. This behavior was seen common across different Devil Bait samples and stages as described by the NCSC
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf

rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml

@@ -3,7 +3,7 @@ id: e8954be4-b2b8-4961-be18-da1a5bda709c
 related:
     - id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892
       type: derived
-status: experimental
+status: test
 description: Detects specific process behavior observed with Devil Bait samples
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf

rules-emerging-threats/2021/Malware/Devil-Bait/proxy_malware_devil_bait_c2_communication.yml

@@ -1,6 +1,6 @@
 title: Devil Bait Potential C2 Communication Traffic
 id: 514c50c9-373a-46e5-9012-f0327c526c8f
-status: experimental
+status: test
 description: Detects potential C2 communication related to Devil Bait malware
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/file_event_win_malware_goofy_guineapig_file_indicators.yml

@@ -1,6 +1,6 @@
 title: Goofy Guineapig Backdoor IOC
 id: f0bafe60-1240-4798-9e60-4364b97e6bad
-status: experimental
+status: test
 description: Detects malicious indicators seen used by the Goofy Guineapig malware
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_broken_cmd.yml

@@ -1,6 +1,6 @@
 title: Potential Goofy Guineapig Backdoor Activity
 id: 477a5ed3-a374-4282-9f3b-ed94e159a108
-status: experimental
+status: test
 description: Detects a specific broken command that was used by Goofy-Guineapig as described by the NCSC report.
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/proc_creation_win_malware_goofy_guineapig_googleupdate_uncommon_child_instance.yml

@@ -1,6 +1,6 @@
 title: Potential Goofy Guineapig GoolgeUpdate Process Anomaly
 id: bdbab15a-3826-48fa-a1b7-723cd8f32fcc
-status: experimental
+status: test
 description: Detects "GoogleUpdate.exe" spawning a new instance of itself in an uncommon location as seen used by the Goofy Guineapig backdoor
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/proxy_malware_goofy_gunieapig_c2_communication.yml

@@ -1,6 +1,6 @@
 title: Goofy Guineapig Backdoor Potential C2 Communication
 id: 4f573bb6-701a-4b8d-91db-87ae106e9a61
-status: experimental
+status: test
 description: Detects potential C2 communication related to Goofy Guineapig backdoor
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Goofy-Guineapig/win_system_malware_goofy_guineapig_service_persistence.yml

@@ -1,6 +1,6 @@
 title: Goofy Guineapig Backdoor Service Creation
 id: 8c15dd74-9570-4f48-80b2-29996fd91ee6
-status: experimental
+status: test
 description: Detects service creation persistence used by the Goofy Guineapig backdoor
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Small-Sieve/file_event_win_malware_small_sieve_evasion_typo.yml

@@ -1,6 +1,6 @@
 title: Small Sieve Malware File Indicator Creation
 id: 39466c42-c189-476a-989f-8cdb135c163a
-status: experimental
+status: test
 description: Detects filename indicators that contain a specific typo seen used by the Small Sieve malware.
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf

rules-emerging-threats/2021/Malware/Small-Sieve/proxy_malware_small_sieve_telegram_communication.yml

@@ -1,6 +1,6 @@
 title: Small Sieve Malware Potential C2 Communication
 id: b0422664-37a4-4e78-949a-4a139309eaf0
-status: experimental
+status: test
 description: Detects potential C2 communication related to Small Sieve malware
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf

rules-emerging-threats/2021/Malware/Small-Sieve/registry_set_malware_small_sieve_evasion_typo.yml

@@ -1,6 +1,6 @@
 title: Small Sieve Malware Registry Persistence
 id: 65c6e3c1-fb28-4c03-a51e-84919d8185f1
-status: experimental
+status: test
 description: Detects registry value with specific intentional typo and strings seen used by the Small Sieve malware
 references:
     - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/small-sieve/NCSC-MAR-Small-Sieve.pdf

rules-emerging-threats/2022/Exploits/CVE-2022-21554/proc_creation_win_exploit_cve_2023_21554_queuejumper.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-21554 QueueJumper Exploitation
 id: 53207cc2-0745-4c19-bc72-80be1cc16b3f
-status: experimental
+status: test
 description: Detects potential exploitation of CVE-2023-21554 (dubbed QueueJumper)
 references:
     - https://research.checkpoint.com/2023/queuejumper-critical-unauthorized-rce-vulnerability-in-msmq-service/

rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml

@@ -1,6 +1,6 @@
 title: Suspicious Sysmon as Execution Parent
 id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3
-status: experimental
+status: test
 description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
 references:
     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120

rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml

@@ -1,6 +1,6 @@
 title: Exploitation Indicator Of CVE-2022-42475
 id: 293ccb8c-bed8-4868-8296-bef30e303b7e
-status: experimental
+status: test
 description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
 references:
     - https://www.fortiguard.com/psirt/FG-IR-22-398

rules-emerging-threats/2022/Malware/BlueSky-Ransomware/win_security_malware_bluesky_ransomware_files_indicators.yml

@@ -1,6 +1,6 @@
 title: BlueSky Ransomware Artefacts
 id: eee8311f-a752-44f0-bf2f-6b007db16300
-status: experimental
+status: test
 description: Detect access to files and shares with names and extensions used by BlueSky ransomware which could indicate a current or previous encryption attempt.
 references:
     - https://unit42.paloaltonetworks.com/bluesky-ransomware/

rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml

@@ -1,6 +1,6 @@
 title: Exploitation Indicators Of CVE-2023-20198
 id: 2ece8816-b7a0-4d9b-b0e8-ae7ad18bc02b
-status: experimental
+status: test
 description: Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.
 references:
     - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml

@@ -3,7 +3,7 @@ id: f8987c03-4290-4c96-870f-55e75ee377f4
 related:
     - id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml

@@ -3,7 +3,7 @@ id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
 related:
     - id: f8987c03-4290-4c96-870f-55e75ee377f4
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml

@@ -3,7 +3,7 @@ id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6
 related:
     - id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml

@@ -3,7 +3,7 @@ id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c
 related:
     - id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-2283/lnx_sshd_exploit_cve_2023_2283_libssh_authentication_bypass.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-2283 Exploitation
 id: 8b244735-5833-4517-a45b-28d8c63924c0
-status: experimental
+status: test
 description: Detects potential exploitation attempt of CVE-2023-2283 an authentication bypass in libSSH. The exploitation method causes an error message stating that keys for curve25519 could not be generated. It is an error message that is a sign of an exploitation attempt. It is not a sign of a successful exploitation.
 references:
     - https://twitter.com/kevin_backhouse/status/1666459308941357056?s=20

rules-emerging-threats/2023/Exploits/CVE-2023-23397/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml

@@ -1,6 +1,6 @@
 title: Outlook Task/Note Reminder Received
 id: fc06e655-d98c-412f-ac76-05c2698b1cb2
-status: experimental
+status: test
 description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation.
 references:
     - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

rules-emerging-threats/2023/Exploits/CVE-2023-25157/web_cve_2023_25157_geoserver_sql_injection.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-25157 Exploitation Attempt
 id: c0341543-5ed0-4475-aabc-7eea8c52aa66
-status: experimental
+status: test
 description: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
 references:
     - https://github.com/win3zz/CVE-2023-25157

rules-emerging-threats/2023/Exploits/CVE-2023-25717/web_cve_2023_25717_ruckus_wireless_admin_exploit_attempt.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-25717 Exploitation Attempt
 id: 043c1609-0e32-4462-a6f2-5a0c2da3fafe
-status: experimental
+status: test
 description: Detects a potential exploitation attempt of CVE-2023-25717 a Remote Code Execution via an unauthenticated HTTP GET Request, in Ruckus Wireless Admin
 references:
     - https://cybir.com/2023/cve/proof-of-concept-ruckus-wireless-admin-10-4-unauthenticated-remote-code-execution-csrf-ssrf/

rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
 id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
-status: experimental
+status: test
 description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
 references:
     - https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363

rules-emerging-threats/2023/Exploits/CVE-2023-27997/web_cve_2023_27997_pre_authentication_rce.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-27997 Exploitation Indicators
 id: 31e4e649-7394-4fd2-9ae7-dbc61eebb550
-status: experimental
+status: test
 description: |
     Detects indicators of potential exploitation of CVE-2023-27997 in Frotigate weblogs.
     To avoid false positives it is best to look for successive requests to the endpoints mentioned as well as weird values of the "enc" parameter

rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/file_event_win_exploit_cve_2023_34362_moveit_transfer.yml

@@ -1,6 +1,6 @@
 title: Potential MOVEit Transfer CVE-2023-34362 Exploitation
 id: c3b2a774-3152-4989-83c1-7afc48fd1599
-status: experimental
+status: test
 description: Detects file indicators of potential exploitation of MOVEit CVE-2023-34362.
 references:
     - https://www.bleepingcomputer.com/news/security/new-moveit-transfer-zero-day-mass-exploited-in-data-theft-attacks/

rules-emerging-threats/2023/Exploits/CVE-2023-34362-MOVEit-Transfer-Exploit/web_cve_2023_34362_known_payload_request.yml.yml

@@ -1,6 +1,6 @@
 title: MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
 id: 435e41f2-48eb-4c95-8a2b-ed24b50ec30b
-status: experimental
+status: test
 description: Detects get requests to specific files used during the exploitation of MOVEit CVE-2023-34362
 references:
     - https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023

rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_report_creation.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-36874 Exploitation - Uncommon Report.Wer Location
 id: 92389a99-5215-43b0-a09f-e334453b2ed3
-status: experimental
+status: test
 description: Detects the creation of a "Report.wer" file in an uncommon folder structure. This could be a sign of potential exploitation of CVE-2023-36874.
 references:
     - https://github.com/Wh04m1001/CVE-2023-36874

rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
 id: ad0960eb-0015-4d16-be13-b3d9f18f1342
-status: experimental
+status: test
 description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
 references:
     - https://github.com/Wh04m1001/CVE-2023-36874

rules-emerging-threats/2023/Exploits/CVE-2023-36874/proc_creation_win_exploit_cve_2023_36874_fake_wermgr.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-36874 Exploitation - Fake Wermgr Execution
 id: 50dbc08b-60ce-40f1-a6b6-346497e34c88
-status: experimental
+status: test
 description: Detects the execution of a renamed "cmd", "powershell" or "powershell_ise" binary. Attackers were seen using these binaries in a renamed form as "wermgr.exe" in exploitation of CVE-2023-36874
 references:
     - https://github.com/Wh04m1001/CVE-2023-36874

rules-emerging-threats/2023/Exploits/CVE-2023-36884/file_event_win_exploit_cve_2023_36884_office_windows_html_rce_file_patterns.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-36884 Exploitation Dropped File
 id: 8023d3a2-dcdc-44da-8fa9-5c7906e55b38
-status: experimental
+status: test
 description: Detects a specific file being created in the recent folder of Office. These files have been seen being dropped during potential exploitations of CVE-2023-36884
 references:
     - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-36884 Exploitation Pattern
 id: 0066d244-c277-4c3e-88ec-9e7b777cc8bc
-status: experimental
+status: test
 description: Detects a unique pattern seen being used by RomCom potentially exploiting CVE-2023-36884
 references:
     - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_extenstion_ip_pattern_traffic.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2303-36884 URL Request Pattern Traffic
 id: d9365e39-febd-4a4b-8441-3ca91bb9d333
-status: experimental
+status: test
 description: Detects a specific URL pattern containing a specific extension and parameters pointing to an IP address. This pattern was seen being used by RomCOM potentially exploiting CVE-2023-36884
 references:
     - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_traffic.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-36884 Exploitation - File Downloads
 id: 6af1617f-c179-47e3-bd66-b28034a1052d
-status: experimental
+status: test
 description: Detects files seen being requested by RomCom while potentially exploiting CVE-2023-36884
 references:
     - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

rules-emerging-threats/2023/Exploits/CVE-2023-36884/proxy_exploit_cve_2023_36884_office_windows_html_rce_url_marker_traffic.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-36884 Exploitation - URL Marker
 id: e59f71ff-c042-4f7a-8a82-8f53beea817e
-status: experimental
+status: test
 description: Detects a unique URL marker seen being used by RomCom potentially exploiting CVE-2023-36884
 references:
     - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

rules-emerging-threats/2023/Exploits/CVE-2023-36884/win_security_exploit_cve_2023_36884_office_windows_html_rce_share_access_pattern.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-36884 Exploitation - Share Access
 id: 3df95076-9e78-4e63-accb-16699c3b74f8
-status: experimental
+status: test
 description: Detects access to a file share with a naming schema seen being used during exploitation of CVE-2023-36884
 references:
     - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit

rules-emerging-threats/2023/Exploits/CVE-2023-38831/file_event_win_exploit_cve_2023_38331_winrar_susp_double_ext.yml

@@ -3,7 +3,7 @@ id: e4556676-fc5c-4e95-8c39-5ef27791541f
 related:
     - id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
       type: similar
-status: experimental
+status: test
 description: Detects the creation of a file with a double extension and a space by WinRAR. This could be a sign of exploitation of CVE-2023-38331
 references:
     - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/

rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml

@@ -3,7 +3,7 @@ id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
 related:
     - id: e4556676-fc5c-4e95-8c39-5ef27791541f
       type: similar
-status: experimental
+status: test
 description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
 references:
     - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/

rules-emerging-threats/2023/Exploits/CVE-2023-40477/file_event_win_exploit_cve_2023_40477_winrar_rev_file_abuse.yml

@@ -1,6 +1,6 @@
 title: CVE-2023-40477 Potential Exploitation - .REV File Creation
 id: c3bd6c55-d495-4c34-918e-e03e8828c074
-status: experimental
+status: test
 description: Detects the creation of ".rev" files by WinRAR. Could be indicative of potential exploitation of CVE-2023-40477. Look for a suspicious execution shortly after creation or a WinRAR application crash.
 references:
     - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/

rules-emerging-threats/2023/Exploits/CVE-2023-40477/win_application_exploit_cve_2023_40477_winrar_crash.yml

@@ -1,6 +1,6 @@
 title: CVE-2023-40477 Potential Exploitation - WinRAR Application Crash
 id: e5a29b54-6fe7-4258-8a23-82960e31231a
-status: experimental
+status: test
 description: Detects a crash of "WinRAR.exe" where the version is lower than 6.23. This could indicate potential exploitation of CVE-2023-40477
 references:
     - https://wildptr.io/winrar-cve-2023-40477-poc-new-vulnerability-winrar-security-research/

rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml

@@ -3,7 +3,7 @@ id: f48f5368-355c-4a1b-8bf5-11c13d589eaa
 related:
     - id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml

@@ -3,7 +3,7 @@ id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7
 related:
     - id: f48f5368-355c-4a1b-8bf5-11c13d589eaa
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml

@@ -3,7 +3,7 @@ id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5
 related:
     - id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8
       type: derived
-status: experimental
+status: test
 description: |
     Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml

@@ -3,7 +3,7 @@ id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8
 related:
     - id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5
       type: derived
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml

@@ -3,7 +3,7 @@ id: f195b2ff-e542-41bf-8d91-864fb81e5c20
 related:
     - id: e9928831-ba14-42ea-a4bc-33d352b9929a
       type: similar
-status: experimental
+status: test
 description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
 references:
     - https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main