change to unsupported status

rules-unsupported/driver_load_invoke_obfuscation_clip+_services.yml

@@ -4,7 +4,7 @@ related:
     - id: f7385ee2-0e0c-11eb-adc1-0242ac120002
       type: derived
 description: Detects Obfuscated use of Clip.exe to execute PowerShell
-status: experimental
+status: unsupported
 author: Jonathan Cheong, oscd.community
 date: 2020/10/13
 modified: 2021/09/16

rules-unsupported/driver_load_invoke_obfuscation_obfuscated_iex_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9
       type: derived
 description: "Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888"
-status: experimental
+status: unsupported
 author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community
 date: 2019/11/08
 modified: 2021/09/16

rules-unsupported/driver_load_invoke_obfuscation_stdin+_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 72862bf2-0eb1-11eb-adc1-0242ac120002
       type: derived
 description: Detects Obfuscated use of stdin to execute PowerShell
-status: experimental
+status: unsupported
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
 modified: 2021/09/17

rules-unsupported/driver_load_invoke_obfuscation_var+_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75
       type: derived
 description: Detects Obfuscated use of Environment Variables to execute PowerShell
-status: experimental
+status: unsupported
 author: Jonathan Cheong, oscd.community
 date: 2020/10/15
 modified: 2021/09/17

rules-unsupported/driver_load_invoke_obfuscation_via_compress_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 175997c5-803c-4b08-8bb0-70b099f47595
       type: derived  
 description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
-status: experimental
+status: unsupported
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
 modified: 2021/09/18

rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9
       type: derived
 description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
-status: experimental
+status: unsupported
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
 modified: 2021/09/18

rules-unsupported/driver_load_invoke_obfuscation_via_stdin_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 487c7524-f892-4054-b263-8a0ace63fc25
       type: derived
 description: Detects Obfuscated Powershell via Stdin in Scripts
-status: experimental
+status: unsupported
 author: Nikita Nazarov, oscd.community
 date: 2020/10/12
 modified: 2021/09/18

rules-unsupported/driver_load_invoke_obfuscation_via_use_clip_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 63e3365d-4824-42d8-8b82-e56810fefa0c
       type: derived
 description: Detects Obfuscated Powershell via use Clip.exe in Scripts
-status: experimental
+status: unsupported
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
 modified: 2021/09/18

rules-unsupported/driver_load_invoke_obfuscation_via_use_mshta_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4
       type: derived
 description: Detects Obfuscated Powershell via use MSHTA in Scripts
-status: experimental
+status: unsupported
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
 modified: 2021/09/18

rules-unsupported/driver_load_invoke_obfuscation_via_use_rundll32_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b
       type: derived
 description: Detects Obfuscated Powershell via use Rundll32 in Scripts
-status: experimental
+status: unsupported
 author: Nikita Nazarov, oscd.community
 date: 2020/10/09
 modified: 2021/09/18

rules-unsupported/driver_load_invoke_obfuscation_via_var++_services.yml

@@ -4,7 +4,7 @@ related:
     - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6
       type: derived
 description: Detects Obfuscated Powershell via VAR++ LAUNCHER
-status: experimental
+status: unsupported
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/13
 modified: 2021/09/18

rules-unsupported/driver_load_tap_driver_installation.yml

@@ -4,7 +4,7 @@ related:
     - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9
       type: derived
 description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques
-status: experimental
+status: unsupported
 author: Daniil Yugoslavskiy, Ian Davis, oscd.community
 date: 2019/10/24
 modified: 2021/09/21

rules-unsupported/net_dns_high_subdomain_rate.yml

@@ -39,4 +39,4 @@ detection:
 falsepositives:
     - Legitimate domain name requested, which should be added to whitelist
 level: high
-status: experimental
+status: unsupported

rules-unsupported/net_dns_large_domain_name.yml

@@ -34,4 +34,4 @@ detection:
 falsepositives:
     - Legitimate domain name requested, which should be added to whitelist
 level: high
-status: experimental
+status: unsupported

rules-unsupported/net_possible_dns_rebinding.yml

@@ -1,6 +1,6 @@
 title: Possible DNS Rebinding
 id: ec5b8711-b550-4879-9660-568aaae2c3ea
-status: experimental
+status: unsupported
 description: 'Detects DNS-answer with TTL <10.'
 date: 2019/10/25
 author: Ilyas Ochkov, oscd.community

rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml

@@ -1,7 +1,7 @@
 title: MSI Spawned Cmd and Powershell Spawned Processes
 id: 38cf8340-461b-4857-bf99-23a41f772b18
 description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell that spawned other processes
-status: experimental
+status: unsupported
 author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 date: 2020/10/13
 references:

rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml

@@ -3,7 +3,7 @@ id: 078235c5-6ec5-48e7-94b2-f8b5474379ea
 description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege 
 #look for MSI start by low privilege user, write the process guid to the suspicious_guid variable
 #look for child process from the suspicious_guid, alert if it's Windows Installer trying to install package with SYSTEM privilege
-status: experimental
+status: unsupported
 author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
 date: 2020/10/13
 references: 

rules-unsupported/sysmon_process_reimaging.yml

@@ -11,7 +11,7 @@ description: Detects process reimaging defense evasion technique
 # Rule must trigger if selection1 and selection2 both occurs in timeframe of 120 sec.
 # Rule logic is currently not supported by SIGMA.
 # Sysmon v.10.0 or newer is required for proper detection.
-status: experimental
+status: unsupported
 author: Alexey Balandin, oscd.community
 references:
     - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/

rules-unsupported/win_access_fake_files_with_stored_credentials.yml

@@ -1,7 +1,7 @@
 title: Stored Credentials in Fake Files
 id: 692b979c-f747-41dc-ad72-1f11c01b110e
 description: Search for accessing of fake files with stored credentials
-status: experimental
+status: unsupported
 author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community
 date: 2020/10/05
 references: 

rules-unsupported/win_apt_apt29_tor.yml

@@ -11,7 +11,8 @@ tags:
     - attack.t1543.003
 date: 2017/11/01
 modified: 2020/08/23
-author: Thomas Patzke 
+author: Thomas Patzke
+status: unsupported
 logsource:
     product: windows
     service: system

rules-unsupported/win_dumping_ntdsdit_via_dcsync.yml

@@ -31,4 +31,4 @@ detection:
 falsepositives:
     - Legitimate administrator adding new domain controller to already existing domain
 level: medium
-status: experimental
+status: unsupported

rules-unsupported/win_dumping_ntdsdit_via_netsync.yml

@@ -27,4 +27,4 @@ detection:
 falsepositives:
     - Legitimate administrator adding new domain controller to already existing domain
 level: medium
-status: experimental
+status: unsupported

rules-unsupported/win_kernel_and_3rd_party_drivers_exploits_token_stealing.yml

@@ -6,7 +6,7 @@ references:
 tags:
     - attack.privilege_escalation
     - attack.t1068
-status: experimental
+status: unsupported
 author: Teymur Kheirkhabarov (source), Daniil Yugoslavskiy (rule)
 date: 2019/06/03
 logsource:

rules-unsupported/win_mal_service_installs.yml

@@ -34,4 +34,5 @@ detection:
     condition: selection and 1 of malsvc_*
 falsepositives:
     - Penetration testing
-level: critical
+level: critical
+status: unsupported

rules-unsupported/win_metasploit_or_impacket_smb_psexec_service_install.yml

@@ -34,4 +34,5 @@ fields:
     - ServiceFileName
 falsepositives:
     - Possible, different agents with a 8 character binary and a 4, 8 or 16 character service name
-level: high
+level: high
+status: unsupported

rules-unsupported/win_possible_privilege_escalation_using_rotten_potato.yml

@@ -8,7 +8,7 @@ tags:
     - attack.privilege_escalation
     - attack.t1134           # an old one
     - attack.t1134.002
-status: experimental
+status: unsupported
 author: Teymur Kheirkhabarov
 date: 2019/10/26
 modified: 2020/09/01

rules-unsupported/win_remote_schtask.yml

@@ -1,6 +1,6 @@
 title: Remote Schtasks Creation
 id: cf349c4b-99af-40fa-a051-823aa2307a84
-status: experimental
+status: unsupported
 description: Detects remote execution via scheduled task creation or update on the destination host
 author: Jai Minton, oscd.community
 date: 2020/10/05

rules-unsupported/win_remote_service.yml

@@ -1,7 +1,7 @@
 action: global
 title: Remote Service Creation
 id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46
-status: experimental
+status: unsupported
 description: Detects remote execution via service creation on the destination host
 author: Jai Minton, oscd.community
 date: 2020/10/05