From 9139629ff2679983853a9d034d78afc80048b8e5 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Tue, 30 Jan 2024 20:16:20 +0100
Subject: [PATCH] change status to experimental

---
 .../proc_creation_win_wscript_cscript_dropper.yml             | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 rename {deprecated/windows => rules/windows/process_creation}/proc_creation_win_wscript_cscript_dropper.yml (96%)

diff --git a/deprecated/windows/proc_creation_win_wscript_cscript_dropper.yml b/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml
similarity index 96%
rename from deprecated/windows/proc_creation_win_wscript_cscript_dropper.yml
rename to rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml
index 6a1be6e4f93..91f3d93f2c6 100644
--- a/deprecated/windows/proc_creation_win_wscript_cscript_dropper.yml
+++ b/rules/windows/process_creation/proc_creation_win_wscript_cscript_dropper.yml
@@ -3,14 +3,14 @@ id: cea72823-df4d-4567-950c-0b579eaf0846
 related:
     - id: 1e33157c-53b1-41ad-bbcc-780b80b58288
       type: similar
-status: deprecated
+status: experimental
 description: Detects wscript/cscript executions of scripts located in user directories
 references:
     - https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/
     - https://redcanary.com/blog/gootloader/
 author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/01/16
-modified: 2024/01/18
+modified: 2024/01/30
 tags:
     - attack.execution
     - attack.t1059.005