Promote Older Rules From experimental to test

.github/workflows/sigma-test.yml

@@ -62,7 +62,7 @@ jobs:
       run: |
         pip install pysigma
         pip install sigma-cli
-        pip install pySigma-validators-sigmahq==0.10.*
+        pip install pySigma-validators-sigmahq==0.11.*
     - name: Test Sigma Rule Syntax
       run: |
         sigma check --fail-on-error --fail-on-issues --validation-config tests/sigma_cli_conf.yml rules*

rules-emerging-threats/2014/Exploits/CVE-2014-6287/web_cve_2014_6287_hfs_rce.yml

@@ -10,6 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-07-19
 modified: 2023-01-02
 tags:
+    - attack.persistence
     - attack.initial-access
     - attack.t1190
     - attack.t1505.003

rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml

@@ -8,6 +8,9 @@ author: Florian Roth (Nextron Systems)
 date: 2020-05-26
 modified: 2021-11-27
 tags:
+    - attack.privilege-escalation
+    - attack.persistence
+    - attack.defense-evasion
     - attack.g0010
     - attack.execution
     - attack.t1059.001

rules-emerging-threats/2017/Malware/CosmicDuke/win_security_mal_cosmik_duke_persistence.yml

@@ -13,6 +13,8 @@ author: Florian Roth (Nextron Systems), Daniil Yugoslavskiy, oscd.community (upd
 date: 2017-03-27
 modified: 2022-10-09
 tags:
+    - attack.privilege-escalation
+    - attack.execution
     - attack.persistence
     - attack.t1543.003
     - attack.t1569.002

rules-emerging-threats/2017/Malware/PlugX/proc_creation_win_malware_plugx_susp_exe_locations.yml

@@ -9,6 +9,8 @@ author: Florian Roth (Nextron Systems)
 date: 2017-06-12
 modified: 2023-02-03
 tags:
+    - attack.privilege-escalation
+    - attack.persistence
     - attack.s0013
     - attack.defense-evasion
     - attack.t1574.001

rules-emerging-threats/2017/Malware/StoneDrill/win_system_apt_stonedrill.yml

@@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems)
 date: 2017-03-07
 modified: 2021-11-30
 tags:
+    - attack.privilege-escalation
     - attack.persistence
     - attack.g0064
     - attack.t1543.003

rules-emerging-threats/2017/TA/Equation-Group/net_firewall_apt_equationgroup_c2.yml

@@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems)
 date: 2017-04-15
 modified: 2021-11-27
 tags:
+    - attack.exfiltration
     - attack.command-and-control
     - attack.g0020
     - attack.t1041

rules-emerging-threats/2017/TA/Turla/win_system_apt_carbonpaper_turla.yml

@@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems)
 date: 2017-03-31
 modified: 2021-11-30
 tags:
+    - attack.privilege-escalation
     - attack.persistence
     - attack.g0010
     - attack.t1543.003

rules-emerging-threats/2017/TA/Turla/win_system_apt_turla_service_png.yml

@@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems)
 date: 2018-11-23
 modified: 2021-11-30
 tags:
+    - attack.privilege-escalation
     - attack.persistence
     - attack.g0010
     - attack.t1543.003

rules-emerging-threats/2018/TA/APT27/proc_creation_win_apt_apt27_emissary_panda.yml

@@ -10,6 +10,8 @@ author: Florian Roth (Nextron Systems)
 date: 2018-09-03
 modified: 2023-03-09
 tags:
+    - attack.privilege-escalation
+    - attack.persistence
     - attack.defense-evasion
     - attack.t1574.001
     - attack.g0027

rules-emerging-threats/2018/TA/APT32-Oceanlotus/registry_event_apt_oceanlotus_registry.yml

@@ -9,6 +9,7 @@ author: megan201296, Jonhnathan Ribeiro
 date: 2019-04-14
 modified: 2023-09-28
 tags:
+    - attack.persistence
     - attack.defense-evasion
     - attack.t1112
     - detection.emerging-threats

rules-emerging-threats/2018/TA/OilRig/proc_creation_win_apt_oilrig_mar18.yml

@@ -15,6 +15,8 @@ author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil
 date: 2018-03-23
 modified: 2023-03-08
 tags:
+    - attack.privilege-escalation
+    - attack.execution
     - attack.persistence
     - attack.g0049
     - attack.t1053.005

rules-emerging-threats/2018/TA/OilRig/registry_event_apt_oilrig_mar18.yml

@@ -15,6 +15,8 @@ author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil
 date: 2018-03-23
 modified: 2023-03-08
 tags:
+    - attack.privilege-escalation
+    - attack.execution
     - attack.persistence
     - attack.g0049
     - attack.t1053.005

rules-emerging-threats/2018/TA/OilRig/win_security_apt_oilrig_mar18.yml

@@ -15,6 +15,8 @@ author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil
 date: 2018-03-23
 modified: 2023-03-08
 tags:
+    - attack.privilege-escalation
+    - attack.execution
     - attack.persistence
     - attack.g0049
     - attack.t1053.005

rules-emerging-threats/2018/TA/OilRig/win_system_apt_oilrig_mar18.yml

@@ -15,6 +15,8 @@ author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil
 date: 2018-03-23
 modified: 2023-03-08
 tags:
+    - attack.privilege-escalation
+    - attack.execution
     - attack.persistence
     - attack.g0049
     - attack.t1053.005

rules-emerging-threats/2018/TA/Slingshot/proc_creation_win_apt_slingshot.yml

@@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)
 date: 2019-03-04
 modified: 2022-10-09
 tags:
+    - attack.privilege-escalation
+    - attack.execution
     - attack.persistence
     - attack.t1053.005
     - attack.s0111

rules-emerging-threats/2018/TA/Slingshot/win_security_apt_slingshot.yml

@@ -11,6 +11,8 @@ author: Florian Roth (Nextron Systems), Bartlomiej Czyz (@bczyz1)
 date: 2019-03-04
 modified: 2022-11-27
 tags:
+    - attack.privilege-escalation
+    - attack.execution
     - attack.persistence
     - attack.t1053
     - attack.s0111

rules-emerging-threats/2019/Exploits/BearLPE-Exploit/proc_creation_win_exploit_other_bearlpe.yml

@@ -8,6 +8,8 @@ author: Olaf Hartong
 date: 2019-05-22
 modified: 2023-01-26
 tags:
+    - attack.persistence
+    - attack.execution
     - attack.privilege-escalation
     - attack.t1053.005
     - car.2013-08-001

rules-emerging-threats/2019/Exploits/CVE-2019-1378/proc_creation_win_exploit_cve_2019_1378.yml

@@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
 date: 2019-11-15
 modified: 2021-11-27
 tags:
+    - attack.persistence
+    - attack.defense-evasion
     - attack.privilege-escalation
     - attack.t1068
     - attack.execution

rules-emerging-threats/2019/Malware/Ryuk/proc_creation_win_malware_ryuk.yml

@@ -14,6 +14,7 @@ author: Florian Roth (Nextron Systems), Vasiliy Burov, Nasreddine Bencherchali (
 date: 2019-12-16
 modified: 2023-02-03
 tags:
+    - attack.privilege-escalation
     - attack.persistence
     - attack.t1547.001
     - detection.emerging-threats

rules-emerging-threats/2019/Malware/Ursnif/registry_add_malware_ursnif.yml

@@ -9,6 +9,8 @@ author: megan201296
 date: 2019-02-13
 modified: 2023-02-07
 tags:
+    - attack.persistence
+    - attack.defense-evasion
     - attack.execution
     - attack.t1112
     - detection.emerging-threats

rules-emerging-threats/2019/TA/APT31/proc_creation_win_apt_apt31_judgement_panda.yml

@@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems)
 date: 2019-02-21
 modified: 2023-03-10
 tags:
+    - attack.collection
     - attack.lateral-movement
     - attack.credential-access
     - attack.g0128

rules-emerging-threats/2019/TA/Operation-Wocao/proc_creation_win_apt_wocao.yml

@@ -12,6 +12,8 @@ author: Florian Roth (Nextron Systems), frack113
 date: 2019-12-20
 modified: 2022-10-09
 tags:
+    - attack.privilege-escalation
+    - attack.persistence
     - attack.discovery
     - attack.t1012
     - attack.defense-evasion

rules-emerging-threats/2019/TA/Operation-Wocao/win_security_apt_wocao.yml

@@ -10,6 +10,8 @@ author: Florian Roth (Nextron Systems), frack113
 date: 2019-12-20
 modified: 2022-11-27
 tags:
+    - attack.privilege-escalation
+    - attack.persistence
     - attack.discovery
     - attack.t1012
     - attack.defense-evasion

rules-emerging-threats/2020/Malware/Blue-Mockingbird/proc_creation_win_malware_blue_mockingbird.yml

@@ -11,6 +11,8 @@ author: Trent Liffick (@tliffick)
 date: 2020-05-14
 modified: 2022-10-09
 tags:
+    - attack.persistence
+    - attack.defense-evasion
     - attack.execution
     - attack.t1112
     - attack.t1047

rules-emerging-threats/2020/Malware/FlowCloud/registry_event_malware_flowcloud_markers.yml

@@ -10,6 +10,7 @@ author: NVISO
 date: 2020-06-09
 modified: 2024-03-20
 tags:
+    - attack.defense-evasion
     - attack.persistence
     - attack.t1112
     - detection.emerging-threats

rules-emerging-threats/2020/TA/Leviathan/registry_event_apt_leviathan.yml

@@ -8,6 +8,7 @@ author: Aidan Bracher
 date: 2020-07-07
 modified: 2023-09-19
 tags:
+    - attack.privilege-escalation
     - attack.persistence
     - attack.t1547.001
     - detection.emerging-threats

rules-emerging-threats/2020/TA/SolarWinds-Supply-Chain/proc_creation_win_apt_unc2452_vbscript_pattern.yml

@@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems)
 date: 2021-03-05
 modified: 2022-10-09
 tags:
+    - attack.privilege-escalation
     - attack.persistence
     - attack.t1547.001
     - detection.emerging-threats

rules-emerging-threats/2020/TA/TAIDOOR-RAT/proc_creation_win_apt_taidoor.yml

@@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems)
 date: 2020-07-30
 modified: 2021-11-27
 tags:
+    - attack.privilege-escalation
+    - attack.defense-evasion
     - attack.execution
     - attack.t1055.001
     - detection.emerging-threats

rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_mal_hk_jan20.yml

@@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems), Markus Neis
 date: 2020-02-01
 modified: 2021-11-27
 tags:
+    - attack.privilege-escalation
+    - attack.persistence
     - attack.defense-evasion
     - attack.t1574.001
     - attack.g0044

rules-emerging-threats/2020/TA/Winnti/proc_creation_win_apt_winnti_pipemon.yml

@@ -8,6 +8,8 @@ author: Florian Roth (Nextron Systems), oscd.community
 date: 2020-07-30
 modified: 2021-11-27
 tags:
+    - attack.privilege-escalation
+    - attack.persistence
     - attack.defense-evasion
     - attack.t1574.001
     - attack.g0044

rules-emerging-threats/2021/Exploits/CVE-2021-1675/av_printernightmare_cve_2021_34527.yml

@@ -10,6 +10,7 @@ author: Sittikorn S, Nuttakorn T, Tim Shelton
 date: 2021-07-01
 modified: 2023-10-23
 tags:
+    - attack.defense-evasion
     - attack.privilege-escalation
     - attack.t1055
     - detection.emerging-threats

rules-emerging-threats/2021/Exploits/CVE-2021-33771/file_event_win_cve_2021_31979_cve_2021_33771_exploits.yml

@@ -9,6 +9,8 @@ author: Sittikorn S
 date: 2021-07-16
 modified: 2022-10-09
 tags:
+    - attack.initial-access
+    - attack.execution
     - attack.credential-access
     - attack.t1566
     - attack.t1203

rules-emerging-threats/2021/Exploits/CVE-2021-33771/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml

@@ -9,6 +9,8 @@ author: Sittikorn S, frack113
 date: 2021-07-16
 modified: 2023-08-17
 tags:
+    - attack.initial-access
+    - attack.execution
     - attack.credential-access
     - attack.t1566
     - attack.t1203

rules-emerging-threats/2021/Exploits/CVE-2021-42287/win_security_samaccountname_spoofing_cve_2021_42287.yml

@@ -8,6 +8,7 @@ author: Florian Roth (Nextron Systems)
 date: 2021-12-22
 modified: 2022-12-25
 tags:
+    - attack.privilege-escalation
     - attack.defense-evasion
     - attack.persistence
     - attack.t1036

rules-emerging-threats/2021/Exploits/RazerInstaller-LPE-Exploit/proc_creation_win_exploit_other_razorinstaller_lpe.yml

@@ -9,6 +9,7 @@ author: Florian Roth (Nextron Systems), Maxime Thiebaut
 date: 2021-08-23
 modified: 2024-12-01
 tags:
+    - attack.defense-evasion
     - attack.privilege-escalation
     - attack.t1553
     - detection.emerging-threats

rules-emerging-threats/2021/Malware/BlackByte/registry_set_win_malware_blackbyte_privesc_registry.yml

@@ -12,6 +12,7 @@ author: frack113
 date: 2022-01-24
 modified: 2025-10-21
 tags:
+    - attack.persistence
     - attack.defense-evasion
     - attack.t1112
     - detection.emerging-threats

rules-emerging-threats/2021/Malware/Pingback/file_event_win_malware_pingback_backdoor.yml

@@ -14,6 +14,8 @@ author: Bhabesh Raj
 date: 2021-05-05
 modified: 2023-02-17
 tags:
+    - attack.privilege-escalation
+    - attack.defense-evasion
     - attack.persistence
     - attack.t1574.001
     - detection.emerging-threats

rules-emerging-threats/2021/Malware/Pingback/image_load_malware_pingback_backdoor.yml

@@ -14,6 +14,8 @@ author: Bhabesh Raj
 date: 2021-05-05
 modified: 2023-02-17
 tags:
+    - attack.privilege-escalation
+    - attack.defense-evasion
     - attack.persistence
     - attack.t1574.001
     - detection.emerging-threats

rules-emerging-threats/2021/Malware/Pingback/proc_creation_win_malware_pingback_backdoor.yml

@@ -14,6 +14,8 @@ author: Bhabesh Raj
 date: 2021-05-05
 modified: 2023-02-17
 tags:
+    - attack.privilege-escalation
+    - attack.defense-evasion
     - attack.persistence
     - attack.t1574.001
     - detection.emerging-threats

rules-emerging-threats/2021/Malware/Small-Sieve/proc_creation_win_malware_small_sieve_cli_arg.yml

@@ -7,6 +7,8 @@ references:
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-05-19
 tags:
+    - attack.privilege-escalation
+    - attack.defense-evasion
     - attack.persistence
     - attack.t1574.001
     - detection.emerging-threats

rules-emerging-threats/2021/TA/HAFNIUM/proc_creation_win_apt_hafnium.yml

@@ -12,6 +12,8 @@ author: Florian Roth (Nextron Systems)
 date: 2021-03-09
 modified: 2023-03-09
 tags:
+    - attack.privilege-escalation
+    - attack.execution
     - attack.persistence
     - attack.t1546
     - attack.t1053

rules-emerging-threats/2022/Exploits/CVE-2022-24527/file_event_win_cve_2022_24527_lpe.yml

@@ -7,6 +7,7 @@ references:
 author: Florian Roth (Nextron Systems)
 date: 2022-04-13
 tags:
+    - attack.execution
     - attack.privilege-escalation
     - attack.t1059.001
     - cve.2022-24527

rules-emerging-threats/2022/Malware/ChromeLoader/proc_creation_win_malware_chrome_loader_execution.yml

@@ -10,6 +10,7 @@ references:
 author: '@kostastsale'
 date: 2022-01-10
 tags:
+    - attack.privilege-escalation
     - attack.execution
     - attack.persistence
     - attack.t1053.005

rules-emerging-threats/2022/Malware/Serpent-Backdoor/proc_creation_win_malware_serpent_backdoor_payload_execution.yml

@@ -10,6 +10,7 @@ references:
 author: '@kostastsale'
 date: 2022-03-21
 tags:
+    - attack.privilege-escalation
     - attack.execution
     - attack.persistence
     - attack.t1053.005

rules-emerging-threats/2022/Malware/win_mssql_sp_maggie.yml

@@ -7,6 +7,7 @@ references:
 author: Denis Szadkowski, DIRT / DCSO CyTec
 date: 2022-10-09
 tags:
+    - attack.privilege-escalation
     - attack.persistence
     - attack.t1546
     - detection.emerging-threats