Promote Older Rules From experimental to test

rules-emerging-threats/2022/Exploits/CVE-2022-41120/proc_creation_win_exploit_cve_2022_41120_sysmon_eop.yml

@@ -1,6 +1,6 @@
 title: Suspicious Sysmon as Execution Parent
 id: 6d1058a4-407e-4f3a-a144-1968c11dc5c3
-status: experimental
+status: test
 description: Detects suspicious process executions in which Sysmon itself is the parent of a process, which could be a sign of exploitation (e.g. CVE-2022-41120)
 references:
     - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41120

rules-emerging-threats/2022/Exploits/CVE-2022-42475/fortios_sslvpnd_exploit_cve_2022_42475_exploitation_indicators.yml

@@ -1,6 +1,6 @@
 title: Exploitation Indicator Of CVE-2022-42475
 id: 293ccb8c-bed8-4868-8296-bef30e303b7e
-status: experimental
+status: test
 description: Detects exploitation indicators of CVE-2022-42475 a heap-based buffer overflow in sslvpnd.
 references:
     - https://www.fortiguard.com/psirt/FG-IR-22-398

rules-emerging-threats/2023/Exploits/CVE-2023-1389/proxy_exploit_cve_2023_1389_unauth_command_injection_tplink_archer_ax21.yml

@@ -1,6 +1,6 @@
 title: CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21
 id: 6c7defa9-69f8-4c34-b815-41fce3931754
-status: experimental
+status: test
 description: |
     Detects potential exploitation attempt of CVE-2023-1389 an Unauthenticated Command Injection in TP-Link Archer AX21.
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-20198/cisco_syslog_cve_2023_20198_ios_xe_web_ui.yml

@@ -1,6 +1,6 @@
 title: Exploitation Indicators Of CVE-2023-20198
 id: 2ece8816-b7a0-4d9b-b0e8-ae7ad18bc02b
-status: experimental
+status: test
 description: Detecting exploitation indicators of CVE-2023-20198 a privilege escalation vulnerability in Cisco IOS XE Software Web UI.
 references:
     - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_lnx_exploit_cve_2023_22518_confluence_java_child_proc.yml

@@ -3,7 +3,7 @@ id: f8987c03-4290-4c96-870f-55e75ee377f4
 related:
     - id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-22518/proc_creation_win_exploit_cve_2023_22518_confluence_tomcat_child_proc.yml

@@ -3,7 +3,7 @@ id: 1ddaa9a4-eb0b-4398-a9fe-7b018f9e23db
 related:
     - id: f8987c03-4290-4c96-870f-55e75ee377f4
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-22518/proxy_exploit_cve_2023_22518_confluence_auth_bypass.yml

@@ -3,7 +3,7 @@ id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6
 related:
     - id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-22518/web_exploit_cve_2023_22518_confluence_auth_bypass.yml

@@ -3,7 +3,7 @@ id: a902d249-9b9c-4dc4-8fd0-fbe528ef965c
 related:
     - id: 27d2cdde-9778-490e-91ec-9bd0be6e8cc6
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2023-22518 (Confluence Data Center / Confluence Server), where an attacker can exploit vulnerable endpoints to e.g. create admin accounts and execute arbitrary commands.
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-27363/file_event_win_cve_2023_27363_foxit_rce.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-27363 Exploitation - HTA File Creation By FoxitPDFReader
 id: 9cae055f-e1d2-4f81-b8a5-1986a68cdd84
-status: experimental
+status: test
 description: Detects suspicious ".hta" file creation in the startup folder by Foxit Reader. This can be an indication of CVE-2023-27363 exploitation.
 references:
     - https://github.com/j00sean/SecBugs/tree/ff72d553f75d93e1a0652830c0f74a71b3f19c46/CVEs/CVE-2023-27363

rules-emerging-threats/2023/Exploits/CVE-2023-36874/file_event_win_exploit_cve_2023_36874_wermgr_creation.yml

@@ -1,6 +1,6 @@
 title: Potential CVE-2023-36874 Exploitation - Fake Wermgr.Exe Creation
 id: ad0960eb-0015-4d16-be13-b3d9f18f1342
-status: experimental
+status: test
 description: Detects the creation of a file named "wermgr.exe" being created in an uncommon directory. This could be a sign of potential exploitation of CVE-2023-36874.
 references:
     - https://github.com/Wh04m1001/CVE-2023-36874

rules-emerging-threats/2023/Exploits/CVE-2023-38831/proc_creation_win_exploit_cve_2023_38831_winrar_child_proc.yml

@@ -3,7 +3,7 @@ id: ec3a3c2f-9bb0-4a9b-8f4b-5ec386544343
 related:
     - id: e4556676-fc5c-4e95-8c39-5ef27791541f
       type: similar
-status: experimental
+status: test
 description: Detects exploitation attempt of CVE-2023-38331 (WinRAR before v6.23), where an attacker can leverage WinRAR to execute arbitrary commands and binaries.
 references:
     - https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/

rules-emerging-threats/2023/Exploits/CVE-2023-43261/proxy_exploit_cve_2023_43261_milesight_information_disclosure.yml

@@ -3,7 +3,7 @@ id: f48f5368-355c-4a1b-8bf5-11c13d589eaa
 related:
     - id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in proxy logs.
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-43261/web_exploit_cve_2023_43261_milesight_information_disclosure.yml

@@ -3,7 +3,7 @@ id: a2bcca38-9f3a-4d5e-b603-0c587e8569d7
 related:
     - id: f48f5368-355c-4a1b-8bf5-11c13d589eaa
       type: similar
-status: experimental
+status: test
 description: |
     Detects exploitation attempts of CVE-2023-43261 and information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 that allows attackers to access sensitive router components in access logs.
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise.yml

@@ -3,7 +3,7 @@ id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5
 related:
     - id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8
       type: derived
-status: experimental
+status: test
 description: |
     Detects potential exploitation of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-46214/web_cve_2023_46214_rce_splunk_enterprise_poc.yml

@@ -3,7 +3,7 @@ id: ba5268de-4dd4-4d5c-8a90-2b5e6dc1aff8
 related:
     - id: 04017cd5-621e-4ec4-a762-1f042fe3d3e5
       type: derived
-status: experimental
+status: test
 description: |
     Detects exploitation attempt of CVE-2023-46214, a remote code execution (RCE) in Splunk Enterprise through insecure XML parsing using known public proof of concept code
 references:

rules-emerging-threats/2023/Exploits/CVE-2023-46747/proxy_cve_2023_46747_f5_remote_code_execution.yml

@@ -3,7 +3,7 @@ id: f195b2ff-e542-41bf-8d91-864fb81e5c20
 related:
     - id: e9928831-ba14-42ea-a4bc-33d352b9929a
       type: similar
-status: experimental
+status: test
 description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
 references:
     - https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main

rules-emerging-threats/2023/Exploits/CVE-2023-46747/web_cve_2023_46747_f5_remote_code_execution.yml

@@ -3,7 +3,7 @@ id: e9928831-ba14-42ea-a4bc-33d352b9929a
 related:
     - id: f195b2ff-e542-41bf-8d91-864fb81e5c20
       type: similar
-status: experimental
+status: test
 description: Detects exploitation activity of CVE-2023-46747 an unauthenticated remote code execution vulnerability in F5 BIG-IP.
 references:
     - https://github.com/AliBrTab/CVE-2023-46747-POC/tree/main

rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml

@@ -7,7 +7,7 @@ related:
       type: similar
     - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit
       type: similar
-status: experimental
+status: test
 description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs by looking for a very long host header string.
 references:
     - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

rules-emerging-threats/2023/Exploits/CVE-2023-4966/proxy_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml

@@ -7,7 +7,7 @@ related:
       type: similar
     - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit
       type: similar
-status: experimental
+status: test
 description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via proxy logs.
 references:
     - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit.yml

@@ -7,7 +7,7 @@ related:
       type: similar
     - id: a4e068b5-e27c-4f21-85b3-e69e5a4f7ce1 # Webserver Exploit
       type: similar
-status: experimental
+status: test
 description: Detects potential exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs.
 references:
     - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

rules-emerging-threats/2023/Exploits/CVE-2023-4966/web_exploit_cve_2023_4966_citrix_sensitive_information_disclosure_exploit_attempt.yml

@@ -7,7 +7,7 @@ related:
       type: similar
     - id: aee7681f-b53d-4594-a9de-ac51e6ad3362 # Proxy Exploit
       type: similar
-status: experimental
+status: test
 description: Detects exploitation attempt of CVE-2023-4966 a Citrix ADC and NetScaler Gateway sensitive information disclosure vulnerability via webserver logs by looking for a very long host header string.
 references:
     - https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20234966-and-cve20234967

rules-emerging-threats/2023/Malware/DarkGate/file_event_win_malware_darkgate_autoit3_binary_creation.yml

@@ -1,6 +1,6 @@
 title: DarkGate - Autoit3.EXE File Creation By Uncommon Process
 id: 1a433e1d-03d2-47a6-8063-ece992cf4e73
-status: experimental
+status: test
 description: |
     Detects the usage of curl.exe, KeyScramblerLogon, or other non-standard/suspicious processes used to create Autoit3.exe.
     This activity has been associated with DarkGate malware, which uses Autoit3.exe to execute shellcode that performs

rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_autoit3_from_susp_parent_and_location.yml

@@ -1,6 +1,6 @@
 title: DarkGate - Autoit3.EXE Execution Parameters
 id: f8e9aa1c-14f2-4dbd-aa59-b98968ed650d
-status: experimental
+status: test
 description: |
     Detects execution of the legitimate Autoit3 utility from a suspicious parent process. AutoIt3.exe is used within
     the DarkGate infection chain to execute shellcode that performs process injection and connects to the DarkGate

rules-emerging-threats/2023/Malware/DarkGate/proc_creation_win_malware_darkgate_net_user_creation.yml

@@ -1,6 +1,6 @@
 title: DarkGate - User Created Via Net.EXE
 id: bf906d7b-7070-4642-8383-e404cf26eba5
-status: experimental
+status: test
 description: Detects creation of local users via the net.exe command with the name of "DarkGate"
 references:
     - Internal Research

rules-emerging-threats/2023/Malware/Pikabot/net_connection_win_malware_pikabot_rundll32_activity.yml

@@ -1,6 +1,6 @@
 title: Potential Pikabot C2 Activity
 id: cae6cee6-0244-44d2-84ed-e65f548eb7dc
-status: experimental
+status: test
 description: |
     Detects the execution of rundll32 that leads to an external network connection.
     The malware Pikabot has been seen to use this technique to initiate C2-communication through hard-coded Windows binaries.

rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_combined_commands_execution.yml

@@ -1,6 +1,6 @@
 title: Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
 id: e5144106-8198-4f6e-bfc2-0a551cc8dd94
-status: experimental
+status: test
 description: |
     Detects the execution of concatenated commands via "cmd.exe". Pikabot often executes a combination of multiple commands via the command handler "cmd /c" in order to download and execute additional payloads.
     Commands such as "curl", "wget" in order to download extra payloads. "ping" and "timeout" are abused to introduce delays in the command execution and "Rundll32" is also used to execute malicious DLL files.

rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_discovery.yml

@@ -1,6 +1,6 @@
 title: Potential Pikabot Discovery Activity
 id: 698d4431-514f-4c82-af4d-cf573872a9f5
-status: experimental
+status: test
 description: |
     Detects system discovery activity carried out by Pikabot, such as incl. network, user info and domain groups.
     The malware Pikabot has been seen to use this technique as part of its C2-botnet registration with a short collection time frame (less than 1 minute).

rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_hollowing.yml

@@ -1,6 +1,6 @@
 title: Potential Pikabot Hollowing Activity
 id: d8937fe7-42d5-4b4d-8178-e089c908f63f
-status: experimental
+status: test
 description: |
     Detects the execution of rundll32 that leads to the invocation of legitimate Windows binaries.
     The malware Pikabot has been seen to use this technique for process hollowing through hard-coded Windows binaries

rules-emerging-threats/2023/Malware/Pikabot/proc_creation_win_malware_pikabot_rundll32_uncommon_extension.yml

@@ -1,6 +1,6 @@
 title: Pikabot Fake DLL Extension Execution Via Rundll32.EXE
 id: 1bf0ba65-9a39-42a2-9271-31d31bf2f0bf
-status: experimental
+status: test
 description: |
     Detects specific process tree behavior linked to "rundll32" executions, wherein the associated DLL lacks a common ".dll" extension, often signaling potential Pikabot activity.
 references:

rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml

@@ -1,6 +1,6 @@
 title: Qakbot Regsvr32 Calc Pattern
 id: 0033cf83-fb87-446d-9cac-43d63ad4d5a9
-status: experimental
+status: test
 description: Detects a specific command line of "regsvr32" where the "calc" keyword is used in conjunction with the "/s" flag. This behavior is often seen used by Qakbot
 references:
     - https://github.com/pr0xylife/Qakbot/

rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml

@@ -1,6 +1,6 @@
 title: DLL Names Used By SVR For GraphicalProton Backdoor
 id: e64c8ef3-9f98-40c8-b71e-96110991cb4c
-status: experimental
+status: test
 description: Hunts known SVR-specific DLL names.
 references:
     - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml

@@ -3,7 +3,7 @@ id: 8fa65166-f463-4fd2-ad4f-1436133c52e1
 related:
     - id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142
       type: similar
-status: experimental
+status: test
 description: Hunts for known SVR-specific scheduled task names
 author: CISA
 references:

rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml

@@ -3,7 +3,7 @@ id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142
 related:
     - id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 # Security-Audting Eventlog
       type: similar
-status: experimental
+status: test
 description: Hunts for known SVR-specific scheduled task names
 author: CISA
 references:

rules-emerging-threats/2023/TA/Diamond-Sleet/dns_query_win_apt_diamond_steel_indicators.yml

@@ -1,6 +1,6 @@
 title: Diamond Sleet APT DNS Communication Indicators
 id: fba38e0f-4607-4344-bb8f-a4b50cdeef7f
-status: experimental
+status: test
 description: Detects DNS queries related to Diamond Sleet APT activity
 references:
     - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

rules-emerging-threats/2023/TA/Diamond-Sleet/file_event_win_apt_diamond_sleet_indicators.yml

@@ -1,6 +1,6 @@
 title: Diamond Sleet APT File Creation Indicators
 id: e1212b32-55ff-4dfb-a595-62b572248056
-status: experimental
+status: test
 description: Detects file creation activity that is related to Diamond Sleet APT activity
 references:
     - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

rules-emerging-threats/2023/TA/Diamond-Sleet/image_load_apt_diamond_sleet_side_load.yml

@@ -1,6 +1,6 @@
 title: Diamond Sleet APT DLL Sideloading Indicators
 id: d1b65d98-37d7-4ff6-b139-2d87c1af3042
-status: experimental
+status: test
 description: Detects DLL sideloading activity seen used by Diamond Sleet APT
 references:
     - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml

@@ -1,6 +1,6 @@
 title: Diamond Sleet APT Process Activity Indicators
 id: b5495d8d-24ad-4a44-8caf-ceae9a07a5c2
-status: experimental
+status: test
 description: Detects process creation activity indicators related to Diamond Sleet APT
 references:
     - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/

rules-emerging-threats/2023/TA/Diamond-Sleet/registry_event_apt_diamond_sleet_scheduled_task.yml

@@ -1,6 +1,6 @@
 title: Diamond Sleet APT Scheduled Task Creation - Registry
 id: 9f9f92ba-5300-43a4-b435-87d1ee571688
-status: experimental
+status: test
 description: |
     Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
 references:

rules-emerging-threats/2023/TA/Diamond-Sleet/win_security_apt_diamond_sleet_scheduled_task.yml

@@ -1,6 +1,6 @@
 title: Diamond Sleet APT Scheduled Task Creation
 id: 3b8e5084-4de9-449a-a40d-0e11014f2e2d
-status: experimental
+status: test
 description: |
     Detects registry event related to the creation of a scheduled task used by Diamond Sleet APT during exploitation of Team City CVE-2023-42793 vulnerability
 references:

rules-emerging-threats/2023/TA/Lace-Tempest/file_event_win_apt_lace_tempest_indicators.yml

@@ -1,6 +1,6 @@
 title: Lace Tempest File Indicators
 id: e94486ea-2650-4548-bf25-88cbd0bb32d7
-status: experimental
+status: test
 description: Detects PowerShell script file creation with specific names or suffixes which was seen being used often in PowerShell scripts by FIN7
 references:
     - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification

rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_eraser_script.yml

@@ -1,6 +1,6 @@
 title: Lace Tempest PowerShell Evidence Eraser
 id: b377ddab-502d-4519-9e8c-5590033d2d70
-status: experimental
+status: test
 description: |
     Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team
 references:

rules-emerging-threats/2023/TA/Lace-Tempest/posh_ps_apt_lace_tempest_malware_launcher.yml

@@ -1,6 +1,6 @@
 title: Lace Tempest PowerShell Launcher
 id: 37dc5463-f7e3-4f61-ad76-ba59cd02a651
-status: experimental
+status: test
 description: |
     Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team
 references:

rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_cobalt_strike_download.yml

@@ -1,6 +1,6 @@
 title: Lace Tempest Cobalt Strike Download
 id: aa5b0a40-ed88-46aa-9fdc-0337b379ca9d
-status: experimental
+status: test
 description: Detects specific command line execution used by Lace Tempest to download Cobalt Strike as reported by SysAid Team
 references:
     - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification

rules-emerging-threats/2023/TA/Lace-Tempest/proc_creation_win_apt_lace_tempest_loader_execution.yml

@@ -1,6 +1,6 @@
 title: Lace Tempest Malware Loader Execution
 id: 745ea50b-9673-4ba7-9426-cb45cf4a8e6d
-status: experimental
+status: test
 description: Detects execution of a specific binary based on filename and hash used by Lace Tempest to load additional malware as reported by SysAid Team
 references:
     - https://www.sysaid.com/blog/service-desk/on-premise-software-security-vulnerability-notification

rules-emerging-threats/2023/TA/Lazarus/image_load_apt_lazarus_side_load_activity.yml

@@ -1,6 +1,6 @@
 title: Lazarus APT DLL Sideloading Activity
 id: 24007168-a26b-4049-90d0-ce138e13a5cf
-status: experimental
+status: test
 description: Detects sideloading of trojanized DLLs used in Lazarus APT campaign in the case of a Spanish aerospace company
 references:
     - https://www.welivesecurity.com/en/eset-research/lazarus-luring-employees-trojanized-coding-challenges-case-spanish-aerospace-company/

rules-emerging-threats/2023/TA/Okta-Support-System-Breach/okta_apt_suspicious_user_creation.yml

@@ -1,6 +1,6 @@
 title: Okta 2023 Breach Indicator Of Compromise
 id: 00a8e92a-776b-425f-80f2-82d8f8fab2e5
-status: experimental
+status: test
 description: |
     Detects new user account creation or activation with specific names related to the Okta Support System 2023 breach.
     This rule can be enhanced by filtering out known and legitimate username used in your environnement.

rules-emerging-threats/2023/TA/Onyx-Sleet/file_event_win_apt_onyx_sleet_indicators.yml

@@ -1,6 +1,6 @@
 title: Onyx Sleet APT File Creation Indicators
 id: 2fef4fd9-7206-40d1-b4f5-ad6441d0cd9b
-status: experimental
+status: test
 description: Detects file creation activity that is related to Onyx Sleet APT activity
 references:
     - https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/