chore: promote older rules status from experimental to test

phantinuss · web-flow · commit 2fd661266127 · 2025-09-01T00:55:10.000Z
diff --git a/rules-threat-hunting/windows/builtin/security/win_security_file_access_browser_credential.yml b/rules-threat-hunting/windows/builtin/security/win_security_file_access_browser_credential.yml
@@ -3,7 +3,7 @@ id: 4b60e527-ec73-4b47-8cb3-f02ad927ca65
 related:
     - id: 91cb43db-302a-47e3-b3c8-7ede481e27bf
       type: similar
-status: experimental
+status: test
 description: |
     Detects file access requests to browser credential stores by uncommon processes. Could indicate potential attempt of credential stealing This rule requires heavy baselining before usage.
 references:
diff --git a/rules-threat-hunting/windows/registry/registry_set/registry_set_runmru_command_execution.yml b/rules-threat-hunting/windows/registry/registry_set/registry_set_runmru_command_execution.yml
@@ -3,7 +3,7 @@ id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd
 related:
     - id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d
       type: derived
-status: experimental
+status: test
 description: |
     Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
     This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml
@@ -1,6 +1,6 @@
 title: BITS Transfer Job Download From File Sharing Domains
 id: d635249d-86b5-4dad-a8c7-d7272b788586
-status: experimental
+status: test
 description: Detects BITS transfer job downloading files from a file sharing domain.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md
diff --git a/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml b/rules/windows/builtin/iis-configuration/win_iis_logging_etw_disabled.yml
@@ -1,6 +1,6 @@
 title: ETW Logging/Processing Option Disabled On IIS Server
 id: a5b40a90-baf5-4bf7-a6f7-373494881d22
-status: experimental
+status: test
 description: Detects changes to of the IIS server configuration in order to disable/remove the ETW logging/processing option.
 references:
     - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
diff --git a/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml b/rules/windows/builtin/iis-configuration/win_iis_logging_http_disabled.yml
@@ -1,6 +1,6 @@
 title: HTTP Logging Disabled On IIS Server
 id: e8ebd53a-30c2-45bd-81bb-74befba07bdb
-status: experimental
+status: test
 description: Detects changes to of the IIS server configuration in order to disable HTTP logging for successful requests.
 references:
     - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
diff --git a/rules/windows/builtin/iis-configuration/win_iis_module_added.yml b/rules/windows/builtin/iis-configuration/win_iis_module_added.yml
@@ -1,6 +1,6 @@
 title: New Module Module Added To IIS Server
 id: dd857d3e-0c6e-457b-9b48-e82ae7f86bd7
-status: experimental
+status: test
 description: Detects the addition of a new module to an IIS server.
 references:
     - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
diff --git a/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml b/rules/windows/builtin/iis-configuration/win_iis_module_removed.yml
@@ -1,6 +1,6 @@
 title: Previously Installed IIS Module Was Removed
 id: 9e1a1fdf-ee58-40ce-8e15-b66ca5a80e1f
-status: experimental
+status: test
 description: Detects the removal of a previously installed IIS module.
 references:
     - https://learn.microsoft.com/en-us/iis/manage/provisioning-and-managing-iis/configure-logging-in-iis
diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml
@@ -3,7 +3,7 @@ id: 52182dfb-afb7-41db-b4bc-5336cb29b464
 related:
     - id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
       type: similar
-status: experimental
+status: test
 description: Detects the download of suspicious file type from a well-known file and paste sharing domain
 references:
     - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml
@@ -3,7 +3,7 @@ id: ae02ed70-11aa-4a22-b397-c0d0e8f6ea99
 related:
     - id: 52182dfb-afb7-41db-b4bc-5336cb29b464
       type: similar
-status: experimental
+status: test
 description: Detects the download of suspicious file type from a well-known file and paste sharing domain
 references:
     - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015
diff --git a/rules/windows/image_load/image_load_side_load_python.yml b/rules/windows/image_load/image_load_side_load_python.yml
@@ -1,6 +1,6 @@
 title: Potential Python DLL SideLoading
 id: d36f7c12-14a3-4d48-b6b8-774b9c66f44d
-status: experimental
+status: test
 description: Detects potential DLL sideloading of Python DLL files.
 references:
     - https://www.securonix.com/blog/seolurker-attack-campaign-uses-seo-poisoning-fake-google-ads-to-install-malware/
diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml
@@ -1,6 +1,6 @@
 title: Suspicious File Download From File Sharing Domain Via Curl.EXE
 id: 56454143-524f-49fb-b1c6-3fb8b1ad41fb
-status: experimental
+status: test
 description: Detects potentially suspicious file download from file sharing domains using curl.exe
 references:
     - https://labs.withsecure.com/publications/fin7-target-veeam-servers
diff --git a/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_susp_file_sharing_domains.yml
@@ -1,6 +1,6 @@
 title: Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
 id: b6e04788-29e1-4557-bb14-77f761848ab8
-status: experimental
+status: test
 description: Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
 references:
     - https://labs.withsecure.com/publications/fin7-target-veeam-servers
diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml
@@ -1,6 +1,6 @@
 title: Suspicious File Download From File Sharing Domain Via Wget.EXE
 id: a0d7e4d2-bede-4141-8896-bc6e237e977c
-status: experimental
+status: test
 description: Detects potentially suspicious file downloads from file sharing domains using wget.exe
 references:
     - https://labs.withsecure.com/publications/fin7-target-veeam-servers
