Promote Older Rules From experimental to test

rules-emerging-threats/2024/Exploits/CVE-2024-49113/win_application_error_exploit_cve_2024_49113_ldap_nightmare.yml

@@ -1,6 +1,6 @@
 title: CVE-2024-49113 Exploitation Attempt - LDAP Nightmare
 id: 3f2c93c7-7b2a-4d58-bb8d-6f39422d8148
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2024-49113 known as LDAP Nightmare, based on "Application Error" log where the faulting application is "lsass.exe" and the faulting module is "WLDAP32.dll".
 references:

rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml

@@ -1,6 +1,6 @@
 title: CVE-2024-50623 Exploitation Attempt - Cleo
 id: f007b877-02e3-45b7-8501-1b78c2864029
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
 references:

rules-emerging-threats/2024/Malware/Generic/file_event_win_malware_generic_creation_configuration_rats.yml

@@ -1,6 +1,6 @@
 title: File Creation Related To RAT Clients
 id: 2f3039c8-e8fe-43a9-b5cf-dcd424a2522d
-status: experimental
+status: test
 description: |
     File .conf created related to VenomRAT, AsyncRAT and Lummac samples observed in the wild.
 references:

rules-emerging-threats/2024/Malware/Lummac-Stealer/proc_creation_win_malware_lummac_more_vbc.yml

@@ -1,6 +1,6 @@
 title: Lummac Stealer Activity - Execution Of More.com And Vbc.exe
 id: 19b3806e-46f2-4b4c-9337-e3d8653245ea
-status: experimental
+status: test
 description: |
     Detects the execution of more.com and vbc.exe in the process tree.
     This behavior was observed by a set of samples related to Lummac Stealer.

rules-emerging-threats/2024/TA/Forest-Blizzard/proc_creation_win_apt_forest_blizzard_activity.yml

@@ -1,6 +1,6 @@
 title: Forest Blizzard APT - Process Creation Activity
 id: 07db928c-8632-488e-ac7d-3db847489175
-status: experimental
+status: test
 description: |
     Detects the execution of specific processes and command line combination.
     These were seen being created by Forest Blizzard as described by MSFT.

rules-threat-hunting/windows/file/file_event/file_event_win_wdac_policy_creation_in_codeintegrity_folder.yml

@@ -1,6 +1,6 @@
 title: WDAC Policy File Creation In CodeIntegrity Folder
 id: 121b25f7-b9d6-4b37-afa0-cba317ec52f3
-status: experimental
+status: test
 description: |
     Attackers can craft a custom Windows Defender Application Control (WDAC) policy that blocks Endpoint Detection and Response (EDR) components while allowing their own malicious code. The policy is placed in the privileged Windows Code Integrity folder (C:\Windows\System32\CodeIntegrity\). Upon reboot, the policy prevents EDR drivers from loading, effectively bypassing security measures and may further enable undetected lateral movement within an Active Directory environment.
 references:

rules/cloud/aws/cloudtrail/aws_delete_saml_provider.yml

@@ -1,6 +1,6 @@
 title: AWS SAML Provider Deletion Activity
 id: ccd6a6c8-bb4e-4a91-9d2a-07e632819374
-status: experimental
+status: test
 description: |
     Detects the deletion of an AWS SAML provider, potentially indicating malicious intent to disrupt administrative or security team access.
     An attacker can remove the SAML provider for the information security team or a team of system administrators, to make it difficult for them to work and investigate at the time of the attack and after it.

rules/cloud/aws/cloudtrail/aws_ec2_import_key_pair_activity.yml

@@ -1,6 +1,6 @@
 title: AWS Key Pair Import Activity
 id: 92f84194-8d9a-4ee0-8699-c30bfac59780
-status: experimental
+status: test
 description: |
     Detects the import of SSH key pairs into AWS EC2, which may indicate an attacker attempting to gain unauthorized access to instances. This activity could lead to initial access, persistence, or privilege escalation, potentially compromising sensitive data and operations.
 references:

rules/cloud/aws/cloudtrail/aws_lambda_function_url.yml

@@ -1,6 +1,6 @@
 title: New AWS Lambda Function URL Configuration Created
 id: ec541962-c05a-4420-b9ea-84de072d18f4
-status: experimental
+status: test
 description: |
     Detects when a user creates a Lambda function URL configuration, which could be used to expose the function to the internet and potentially allow unauthorized access to the function's IAM role for AWS API calls.
     This could give an adversary access to the privileges associated with the Lambda service role that is attached to that function.

rules/cloud/aws/cloudtrail/aws_rds_dbcluster_actions.yml

@@ -1,6 +1,6 @@
 title: Modification or Deletion of an AWS RDS Cluster
 id: 457cc9ac-d8e6-4d1d-8c0e-251d0f11a74c
-status: experimental
+status: test
 description: Detects modifications to an RDS cluster or its deletion, which may indicate potential data exfiltration attempts, unauthorized access, or exposure of sensitive information.
 references:
     - https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_ModifyDBCluster.html

rules/cloud/m365/audit/microsoft365_bypass_conditional_access.yml

@@ -1,6 +1,6 @@
 title: Azure Login Bypassing Conditional Access Policies
 id: 13f2d3f5-6497-44a7-bf5f-dc13ffafe5dc
-status: experimental
+status: test
 description: |
     Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
 author: Josh Nickels, Marius Rothenbücher

rules/linux/process_creation/proc_creation_lnx_rsync_shell_execution.yml

@@ -1,6 +1,6 @@
 title: Shell Execution via Rsync - Linux
 id: e2326866-609f-4015-aea9-7ec634e8aa04
-status: experimental
+status: test
 description: |
     Detects the use of the "rsync" utility to execute a shell. Such behavior may be associated with privilege escalation, unauthorized command execution, or to break out from restricted environments.
 references:

rules/linux/process_creation/proc_creation_lnx_rsync_shell_spawn.yml

@@ -1,6 +1,6 @@
 title: Suspicious Invocation of Shell via Rsync
 id: 297241f3-8108-4b3a-8c15-2dda9f844594
-status: experimental
+status: test
 description: |
     Detects the execution of a shell as sub process of "rsync" without the expected command line flag "-e" being used, which could be an indication of exploitation as described in CVE-2024-12084. This behavior is commonly associated with attempts to execute arbitrary commands or escalate privileges, potentially leading to unauthorized access or further exploitation.
 references:

rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml

@@ -1,6 +1,6 @@
 title: CodeIntegrity - Unmet Signing Level Requirements By File Under Validation
 id: f8931561-97f5-4c46-907f-0a4a592e47a7
-status: experimental
+status: test
 description: |
     Detects attempted file load events that did not meet the signing level requirements. It often means the file's signature is revoked or a signature with the Lifetime Signing EKU has expired.
     This event is best correlated with EID 3089 to determine the error of the validation.

rules/windows/dns_query/dns_query_win_quickassist.yml

@@ -1,6 +1,6 @@
 title: DNS Query Request By QuickAssist.EXE
 id: 882e858a-3233-4ba8-855e-2f3d3575803d
-status: experimental
+status: test
 description: |
     Detects DNS queries initiated by "QuickAssist.exe" to Microsoft Quick Assist primary endpoint that is used to establish a session.
 references:

rules/windows/file/file_event/file_event_win_susp_public_folder_extension.yml

@@ -1,6 +1,6 @@
 title: Suspicious Binaries and Scripts in Public Folder
 id: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e
-status: experimental
+status: test
 description: Detects the creation of a file with a suspicious extension in the public folder, which could indicate potential malicious activity.
 references:
     - https://intel.thedfirreport.com/events/view/30032 # Private Report

rules/windows/image_load/image_load_clfs_load.yml

@@ -1,6 +1,6 @@
 title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
 id: fb4e2211-6d08-426b-8e6f-0d4a161e3b1d
-status: experimental
+status: test
 description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
 references:
     - https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/

rules/windows/process_creation/proc_creation_win_quickassist_execution.yml

@@ -1,6 +1,6 @@
 title: QuickAssist Execution
 id: e20b5b14-ce93-4230-88af-981983ef6e74
-status: experimental
+status: test
 description: |
     Detects the execution of Microsoft Quick Assist tool "QuickAssist.exe". This utility can be used by attackers to gain remote access.
 references: