Update Ref+Selection

2022-07-11 14:11:53 +01:00
parent d2f08cca5d
commit 238e0ecd7d
177 changed files with 910 additions and 961 deletions
@@ -7,22 +7,22 @@ status: experimental
 author: frack113
 date: 2022/01/30
 description: |
-  Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
-  Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
-  Web browsers typically store the credentials in an encrypted format within a credential store.
+    Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
+    Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future.
+    Web browsers typically store the credentials in an encrypted format within a credential store.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md
 logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
 detection:
    selection_cmd:
-        ScriptBlockText|contains|all: 
+        ScriptBlockText|contains|all:
            - Copy-Item
            - '-Destination'
    selection_path:
-        ScriptBlockText|contains: 
+        ScriptBlockText|contains:
            - '\Opera Software\Opera Stable\Login Data'
            - '\Mozilla\Firefox\Profiles'
            - '\Microsoft\Edge\User Data\Default'
@@ -34,4 +34,4 @@ falsepositives:
 level: medium
 tags:
    - attack.credential_access
-    - attack.t1555.003
+    - attack.t1555.003
@@ -1,11 +1,11 @@
-title: Get-ADUser Enumeration Using UserAccountControl Flags 
+title: Get-ADUser Enumeration Using UserAccountControl Flags
 id: 96c982fe-3d08-4df4-bed2-eb14e02f21c8
 status: experimental
 description: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.
 date: 2022/03/17
 author: frack113
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting
    - https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/
 logsource:
    product: windows
@@ -14,12 +14,12 @@ logsource:
 detection:
    selection:
        #4194304 DONT_REQ_PREAUTH
-        ScriptBlockText|contains|all: 
+        ScriptBlockText|contains|all:
            - 'Get-ADUser'
            - '-Filter'
            - 'useraccountcontrol'
            - '-band'
-            - '4194304' 
+            - '4194304'
    condition: selection
 falsepositives:
    - Legitimate PowerShell scripts
@@ -6,7 +6,7 @@ date: 2021/07/28
 modified: 2021/12/02
 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
 tags:
    - attack.collection
    - attack.t1119
@@ -3,7 +3,7 @@ id: 83083ac6-1816-4e76-97d7-59af9a9ae46e
 status: experimental
 description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound
 references:
-    - https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1
+    - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
    - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
 author: Austin Songer (@austinsonger)
 date: 2021/10/23
@@ -2,10 +2,10 @@ title: Windows Screen Capture with CopyFromScreen
 id: d4a11f63-2390-411c-9adf-d791fd152830
 status: experimental
 description: |
-  Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.
-  Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
+    Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation.
+    Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen
 author: frack113
 date: 2021/12/28
 modified: 2022/07/07
@@ -6,7 +6,7 @@ author: oscd.community, Natalia Shornikova
 date: 2020/10/14
 modified: 2021/10/16
 references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+    - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
    - https://twitter.com/bohops/status/948061991012327424
 tags:
    - attack.defense_evasion
@@ -18,8 +18,8 @@ logsource:
 detection:
    selection:
        ScriptBlockText|contains|all:
-          - 'CL_Invocation.ps1'
-          - 'SyncInvoke'
+            - 'CL_Invocation.ps1'
+            - 'SyncInvoke'
    condition: selection
 falsepositives:
    - Unknown
@@ -6,7 +6,7 @@ author: oscd.community, Natalia Shornikova
 date: 2020/10/14
 modified: 2021/10/16
 references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml
+    - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/
    - https://twitter.com/bohops/status/948061991012327424
 tags:
    - attack.defense_evasion
@@ -6,7 +6,7 @@ author: oscd.community, Natalia Shornikova
 date: 2020/10/14
 modified: 2021/10/16
 references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+    - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
    - https://twitter.com/pabraeken/status/995111125447577600
 tags:
    - attack.defense_evasion
@@ -18,9 +18,9 @@ logsource:
 detection:
    selection:
        ScriptBlockText|contains|all:
-          - 'CL_Mutexverifiers.ps1'
-          - 'runAfterCancelProcess'
+            - 'CL_Mutexverifiers.ps1'
+            - 'runAfterCancelProcess'
    condition: selection
 falsepositives:
    - Unknown
-level: high
+level: high
@@ -6,7 +6,7 @@ author: oscd.community, Natalia Shornikova
 date: 2020/10/14
 modified: 2021/10/16
 references:
-    - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml
+    - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/
    - https://twitter.com/pabraeken/status/995111125447577600
 tags:
    - attack.defense_evasion
@@ -3,8 +3,8 @@ id: 363eccc0-279a-4ccf-a3ab-24c2e63b11fb
 status: experimental
 description: Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task
 author: frack113
 date: 2021/12/28
 logsource:
@@ -13,7 +13,7 @@ logsource:
    definition: Script block logging must be enabled
 detection:
    selection_cmdlet:
-        ScriptBlockText|contains: 
+        ScriptBlockText|contains:
            - 'New-ScheduledTaskAction'
            - 'New-ScheduledTaskTrigger'
            - 'New-ScheduledTaskPrincipal'
@@ -32,5 +32,5 @@ falsepositives:
  - Unknown
 level: medium
 tags:
-  - attack.persistence 
-  - attack.t1053.005
+  - attack.persistence
+  - attack.t1053.005
@@ -2,15 +2,15 @@ title: Registry-Free Process Scope COR_PROFILER
 id: 23590215-4702-4a70-8805-8dc9e58314a2
 status: experimental
 description: |
-  Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.
-  The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).
-  These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.
-  (Citation: Microsoft Profiling Mar 2017)
-  (Citation: Microsoft COR_PROFILER Feb 2013)
+    Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR.
+    The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR).
+    These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.
+    (Citation: Microsoft Profiling Mar 2017)
+    (Citation: Microsoft COR_PROFILER Feb 2013)
 author: frack113
 date: 2021/12/30
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler
 logsource:
    product: windows
    category: ps_script
@@ -3,7 +3,7 @@ id: 243de76f-4725-4f2e-8225-a8a69b15ad61
 status: experimental
 description: Detects creation of a local user via PowerShell
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
 tags:
    - attack.execution
    - attack.t1059.001
@@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community
 date: 2019/10/21
 modified: 2021/10/16
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md
 logsource:
    product: windows
    category: ps_script
@@ -6,7 +6,7 @@ date: 2021/08/03
 modified: 2022/03/03
 description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md
    - https://techgenix.com/malicious-powershell-scripts-evade-detection/
 tags:
    - attack.defense_evasion
@@ -4,21 +4,21 @@ status: experimental
 description: Enumerates Active Directory to determine computers that are joined to the domain
 date: 2022/02/12
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher
 author: frack113
 logsource:
    product: windows
    category: ps_script
    definition: Script Block Logging must be enabled
 detection:
-  selection:
-      ScriptBlockText|contains|all:
-        - 'New-Object '
-        - 'System.DirectoryServices.DirectorySearcher'
-        - '.PropertiesToLoad.Add'
-        - '.findall()'
-        - 'Properties.name'
-  condition: selection
+    selection:
+        ScriptBlockText|contains|all:
+            - 'New-Object '
+            - 'System.DirectoryServices.DirectorySearcher'
+            - '.PropertiesToLoad.Add'
+            - '.findall()'
+            - 'Properties.name'
+    condition: selection
 falsepositives:
    - Unknown
 level: medium
@@ -2,10 +2,10 @@ title: Manipulation of User Computer or Group Security Principals Across AD
 id: b29a93fb-087c-4b5b-a84d-ee3309e69d08
 status: experimental
 description: |
-  Adversaries may create a domain account to maintain access to victim systems.
-  Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
+    Adversaries may create a domain account to maintain access to victim systems.
+    Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell
    - https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0
 author: frack113
 date: 2021/12/28
@@ -7,14 +7,14 @@ description: |
  Adversaries may search for common password storage locations to obtain user credentials.
  Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
 logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
 detection:
    selection_kiddie:
-        ScriptBlockText|contains: 
+        ScriptBlockText|contains:
            - 'Get-PasswordVaultCredentials'
            - 'Get-CredManCreds'
    selection_rename_Password:
@@ -34,4 +34,4 @@ falsepositives:
 level: medium
 tags:
    - attack.credential_access
-    - attack.t1555
+    - attack.t1555
@@ -3,7 +3,7 @@ id: 991a9744-f2f0-44f2-bd33-9092eba17dc3
 status: experimental
 description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2
 author: frack113
 date: 2022/01/07
@@ -4,17 +4,17 @@ status: experimental
 author: frack113
 date: 2021/12/20
 description: |
-  Adversaries may search for common password storage locations to obtain user credentials.
-  Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
+    Adversaries may search for common password storage locations to obtain user credentials.
+    Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md
 logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
 detection:
    selection_cmd:
-        ScriptBlockText|contains|all: 
+        ScriptBlockText|contains|all:
            - vaultcmd
            - '/listcreds:'
    selection_option:
@@ -1,11 +1,10 @@
 title: Powershell File and Directory Discovery
 id: d23f2ba5-9da0-4463-8908-8ee47f614bb9
 description: |
-  Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
-  Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors,
-  including whether or not the adversary fully infects the target and/or attempts specific actions.
+    Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
+    Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
 status: experimental
 author: frack113
 date: 2021/12/15
@@ -27,4 +26,4 @@ falsepositives:
 level: low
 tags:
    - attack.discovery
-    - attack.t1083
+    - attack.t1083
@@ -2,11 +2,11 @@ title: Service Registry Permissions Weakness Check
 id: 95afc12e-3cbb-40c3-9340-84a032e596a3
 status: experimental
 description: |
-  Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
-  Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
-  Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
+    Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services.
+    Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start.
+    Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2
 author: frack113
 date: 2021/12/30
@@ -21,8 +21,8 @@ detection:
            - 'REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\'
    condition: selection
 falsepositives:
-  - Legitimate administrative script
+    - Legitimate administrative script
 level: medium
 tags:
-  - attack.persistence
-  - attack.t1574.011
+    - attack.persistence
+    - attack.t1574.011
@@ -1,21 +1,21 @@
 title: Suspicious Get-ADReplAccount
 id: 060c3ef1-fd0a-4091-bf46-e7d625f60b73
 status: experimental
-description: 
-  The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
-  These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. 
+description: |
+    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
+    These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
 date: 2022/02/06
 author: frack113
 references:
    - https://www.powershellgallery.com/packages/DSInternals
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount
 logsource:
    product: windows
    category: ps_script
    definition: Script block logging must be enabled
 detection:
    selection:
-        ScriptBlockText|contains|all: 
+        ScriptBlockText|contains|all:
            - Get-ADReplAccount
            - '-All '
            - '-Server '
@@ -8,7 +8,7 @@ description: |
    Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about
    internal network resources such as servers, tools/dashboards, or other related infrastructure.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md
 logsource:
    product: windows
    category: ps_script
@@ -19,7 +19,7 @@ detection:
            - 'Get-ChildItem'
            - ' -Recurse '
            - ' -Path '
-            - ' -Filter Bookmarks' 
+            - ' -Filter Bookmarks'
            - ' -ErrorAction SilentlyContinue'
            - ' -Force'
    condition: selection
@@ -29,4 +29,3 @@ level: low
 tags:
    - attack.discovery
    - attack.t1217
-
@@ -4,7 +4,7 @@ status: experimental
 description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
 author: Nasreddine Bencherchali
 references:
-    - https://github.com/411Hall/JAWS/blob/master/jaws-enum.ps1
+    - https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1
 date: 2022/06/21
 logsource:
    product: windows
@@ -3,7 +3,7 @@ id: 4c4af3cd-2115-479c-8193-6b8bfce9001c
 status: experimental
 description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp
 author: 'Bartlomiej Czyz @bczyz1, oscd.community'
 date: 2020/10/10
 modified: 2021/10/16
@@ -3,7 +3,7 @@ id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6
 status: experimental
 description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2
 author: frack113
 date: 2022/01/07
@@ -3,7 +3,7 @@ id: d59d7842-9a21-4bc6-ba98-64bfe0091355
 status: experimental
 description: DNSExfiltrator allows for transfering (exfiltrate) a file over a DNS request covert channel
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh
    - https://github.com/Arno0x/DNSExfiltrator
 author: frack113
 date: 2022/01/07
@@ -2,7 +2,7 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation
 id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7
 description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
 references:
-  - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888
+    - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888
 status: experimental
 author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community'
 date: 2019/11/08
@@ -3,11 +3,11 @@ id: 34f90d3c-c297-49e9-b26d-911b05a4866c
 status: experimental
 author: frack113
 date: 2021/07/30
-modified: 2021/10/16
+modified: 2022/07/11
 description: Adversaries may log user keystrokes to intercept credentials as the user types them.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1
 tags:
    - attack.collection
    - attack.t1056.001
@@ -22,7 +22,7 @@ detection:
        ScriptBlockText|contains|all:
            - 'Get-ProcAddress user32.dll GetAsyncKeyState'
            - 'Get-ProcAddress user32.dll GetForegroundWindow'
-    condition: selection_basic or selection_high
+    condition: 1 of selection_*
 falsepositives:
    - Unknown
 level: medium
@@ -2,10 +2,10 @@ title: Powershell LocalAccount Manipulation
 id: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c
 status: experimental
 description: |
-  Adversaries may manipulate accounts to maintain access to victim systems.
-  Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
+    Adversaries may manipulate accounts to maintain access to victim systems.
+    Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1
 author: frack113
 date: 2021/12/28
@@ -25,8 +25,8 @@ detection:
            - 'Remove-LocalUser'
    condition: selection
 falsepositives:
-  - Legitimate administrative script
+    - Legitimate administrative script
 level: medium
 tags:
-  - attack.persistence
-  - attack.t1098
+    - attack.persistence
+    - attack.t1098
@@ -6,8 +6,8 @@ author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (upd
 references:
    - https://adsecurity.org/?p=2921
    - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
-    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/master/Invoke-ZeroLogon.ps1
-    - https://github.com/xorrior/RandomPS-Scripts/blob/master/Start-WebcamRecorder.ps1
+    - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
+    - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
 date: 2017/03/05
 modified: 2022/06/22
 logsource:
@@ -2,14 +2,14 @@ title: Powershell MsXml COM Object
 id: 78aa1347-1517-4454-9982-b338d6df8343
 status: experimental
 description: |
-  Adversaries may abuse PowerShell commands and scripts for execution.
-  PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
-  Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
+    Adversaries may abuse PowerShell commands and scripts for execution.
+    PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
+    Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
 author: frack113, MatilJ
 date: 2022/01/19
 modified: 2022/05/19
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt
    - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
    - https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
 logsource:
@@ -25,8 +25,8 @@ detection:
            - 'XmlHttp'
    condition: selection
 falsepositives:
-  - Legitimate administrative script
+    - Legitimate administrative script
 level: medium
 tags:
-  - attack.execution
-  - attack.t1059.001
+    - attack.execution
+    - attack.t1059.001
@@ -4,7 +4,7 @@ status: experimental
 description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
 references:
    - http://www.powertheshell.com/ntfsstreams/
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
 tags:
    - attack.defense_evasion
    - attack.t1564.004
@@ -2,10 +2,10 @@ title: Code Executed Via Office Add-in XLL File
 id: 36fbec91-fa1b-4d5d-8df1-8d8edcb632ad
 status: experimental
 description: |
-  Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
-  Office add-ins can be used to add functionality to Office programs
+    Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system.
+    Office add-ins can be used to add functionality to Office programs
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md
 author: frack113
 date: 2021/12/28
 logsource:
@@ -5,7 +5,7 @@ description: |
  Adversaries may abuse PowerShell commands and scripts for execution.
  PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2
 author: frack113
 date: 2022/01/06
@@ -4,7 +4,7 @@ status: experimental
 description: Powershell Remove-Item  with -Path to delete a file or a folder with "-Recurse"
 author: frack113
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7
 date: 2022/01/15
 modified: 2022/03/17
@@ -6,7 +6,7 @@ description: |
  This behavior is typically used during a kerberos or silver ticket attack.
  A successful execution will output the SPNs for the endpoint in question.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
 author: frack113
 date: 2021/12/28
 logsource:
@@ -3,7 +3,7 @@ id: 42821614-9264-4761-acfc-5772c3286f76
 status: experimental
 description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md
 author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
 date: 2020/10/10
 modified: 2021/12/04
@@ -24,6 +24,6 @@ detection:
          - 'Import-Certificate'
          - 'Cert:\LocalMachine\Root'
    condition: 1 of selection*
-level: medium
 falsepositives:
-    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
+    - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP
+level: medium
@@ -5,7 +5,7 @@ description: Adversaries may abuse container files such as disk image (.iso, .vh
 date: 2022/02/01
 author: frack113
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso
    - https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
 logsource:
    product: windows
@@ -7,7 +7,7 @@ description: |
    Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment.
    This may include things such as firewall rules and anti-viru
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md
 logsource:
    product: windows
    category: ps_script
@@ -31,4 +31,3 @@ level: low
 tags:
    - attack.discovery
    - attack.t1518.001
-
@@ -2,10 +2,10 @@ title: Powershell Exfiltration Over SMTP
 id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b
 status: experimental
 description: |
-  Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
-  The data may also be sent to an alternate network location from the main command and control server. 
+    Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
+    The data may also be sent to an alternate network location from the main command and control server.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2
    - https://www.ietf.org/rfc/rfc2821.txt
 author: frack113
@@ -6,7 +6,7 @@ author: Nikita Nazarov, oscd.community
 date: 2020/10/16
 modified: 2021/11/12
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md
    - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna
 tags:
    - attack.discovery
@@ -6,7 +6,7 @@ date: 2021/09/02
 modified: 2021/10/16
 description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
 tags:
    - attack.defense_evasion
    - attack.t1564.004
@@ -24,4 +24,4 @@ detection:
    condition: selection_compspec
 falsepositives:
    - Unknown
-level: medium
+level: medium
@@ -1,11 +1,11 @@
-title: Suspicious Get Information for AD Groups or DoesNotRequirePreAuth User 
+title: AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
 id: 88f0884b-331d-403d-a3a1-b668cf035603
 description: |
-  Adversaries may attempt to find domain-level groups and permission settings.
-  The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
-  Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. 
+    Adversaries may attempt to find domain-level groups and permission settings.
+    The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
+    Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
 status: experimental
 author: frack113
 date: 2021/12/15
@@ -5,7 +5,7 @@ description: Detects technique used by MAZE ransomware to enumerate directories
 date: 2022/03/17
 author: frack113
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md
    - https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents
 logsource:
    product: windows
@@ -24,7 +24,7 @@ detection:
    condition: selection
 falsepositives:
    - Legitimate PowerShell scripts
-level: medium 
+level: medium
 tags:
    - attack.discovery
    - attack.t1083
@@ -1,13 +1,13 @@
 title: Powershell Execute Batch Script
 id: b5522a23-82da-44e5-9c8b-e10ed8955f88
 description: |
-  Adversaries may abuse the Windows command shell for execution.
-  The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.
-  The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.
-  Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.
-  Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
+    Adversaries may abuse the Windows command shell for execution.
+    The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems.
+    The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.
+    Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.
+    Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script
 status: experimental
 author: frack113
 date: 2022/01/02
@@ -28,4 +28,4 @@ falsepositives:
 level: medium
 tags:
    - attack.execution
-    - attack.t1059.003
+    - attack.t1059.003
@@ -4,11 +4,11 @@ status: experimental
 author: frack113
 date: 2021/12/19
 description: |
-  Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
-  These can be files created by users to store their own credentials, shared credential stores for a group of individuals,
-  configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
+    Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
+    These can be files created by users to store their own credentials, shared credential stores for a group of individuals,
+    configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md
 logsource:
    product: windows
    category: ps_script
@@ -26,4 +26,4 @@ falsepositives:
 level: medium
 tags:
    - attack.credential_access
-    - attack.t1552.001
+    - attack.t1552.001
@@ -5,7 +5,7 @@ author: frack113
 date: 2022/03/17
 description: utilize Get-AdComputer to enumerate Computers within Active Directory.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
 logsource:
    product: windows
    category: ps_script
@@ -22,4 +22,3 @@ level: low
 tags:
    - attack.discovery
    - attack.t1018
-
@@ -5,7 +5,7 @@ description: Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpo
 date: 2022/03/17
 author: frack113
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy
    - https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy
 logsource:
    product: windows
@@ -5,7 +5,7 @@ author: frack113
 date: 2022/03/17
 description: Detects the use of Get-AdGroup to enumerate Groups within Active Directory
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
 logsource:
    product: windows
    category: ps_script
@@ -22,4 +22,3 @@ level: low
 tags:
    - attack.discovery
    - attack.t1069.002
-
@@ -5,8 +5,8 @@ description: Detects the use of PowerShell to identify the current logged user.
 date: 2022/04/04
 author: frack113
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script
 logsource:
    product: windows
    category: ps_script
@@ -5,7 +5,7 @@ description: Detect use of Get-GPO to get one GPO or all the GPOs in a domain.
 date: 2022/06/04
 author: frack113
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md
    - https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps
 logsource:
    product: windows
@@ -5,7 +5,7 @@ description: Get the processes that are running on the local computer.
 date: 2022/03/17
 author: frack113
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7
 logsource:
    product: windows
@@ -5,7 +5,7 @@ description: Detects suspicious Powershell code that execute COM Objects
 date: 2022/04/02
 author: frack113
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object
 logsource:
    product: windows
    category: ps_script
@@ -6,7 +6,7 @@ date: 2022/04/09
 author: frack113
 references:
    - https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine
 logsource:
    product: windows
    category: ps_script
@@ -4,10 +4,10 @@ status: experimental
 author: frack113
 date: 2022/01/23
 description: |
-  Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
-  Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. 
+    Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
+    Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols
 logsource:
    product: windows
    category: ps_script
@@ -24,4 +24,3 @@ level: medium
 tags:
    - attack.command_and_control
    - attack.t1071.001
-
@@ -6,7 +6,7 @@ date: 2022/01/09
 modified: 2022/03/05
 author: frack113
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md
 logsource:
    product: windows
    category: ps_script
@@ -14,7 +14,7 @@ logsource:
 detection:
    selection:
        ScriptBlockText|contains|all:
-            - New-Object 
+            - New-Object
            - IO.FileStream
            - '\\\\.\\'
    condition: selection
@@ -7,8 +7,8 @@ modified: 2021/10/16
 author: Florian Roth, Perez Diego (@darkquassar)
 references:
    - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
-    - https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1
-    - https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1
+    - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1
+    - https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1
    - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
 tags:
    - attack.execution
@@ -6,7 +6,7 @@ description: |
    The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group.
    Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md
 author: frack113
 date: 2021/12/12
 logsource:
@@ -16,8 +16,8 @@ logsource:
 detection:
    test_3:
        ScriptBlockText|contains:
-           - 'get-localgroup'
-           - 'Get-LocalGroupMember'
+            - 'get-localgroup'
+            - 'Get-LocalGroupMember'
    test_6:
        ScriptBlockText|contains|all:
            - 'Get-WMIObject'
@@ -28,4 +28,4 @@ falsepositives:
 level: low
 tags:
    - attack.discovery
-    - attack.t1069.001
+    - attack.t1069.001
@@ -4,9 +4,9 @@ status: experimental
 author: frack113
 date: 2021/07/21
 modified: 2021/10/16
-description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. 
+description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md
 tags:
    - attack.collection
    - attack.t1114.001
@@ -21,7 +21,7 @@ detection:
            - 'Microsoft.Office.Interop.Outlook'
            - 'Microsoft.Office.Interop.Outlook.olDefaultFolders'
            - '-comobject outlook.application'
-    condition: selection 
+    condition: selection
 falsepositives:
    - Unknown
 level: medium
@@ -5,7 +5,7 @@ description: Adversaries may abuse container files such as disk image (.iso, .vh
 date: 2022/02/01
 author: frack113
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image
    - https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps
 logsource:
    product: windows
@@ -3,7 +3,7 @@ id: 66a4d409-451b-4151-94f4-a55d559c49b0
 status: experimental
 description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
 author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
 date: 2020/10/08
 modified: 2021/10/16
@@ -17,8 +17,8 @@ logsource:
 detection:
    selection:
        ScriptBlockText|contains:
-          - 'Remove-SmbShare'
-          - 'Remove-FileShare'
+            - 'Remove-SmbShare'
+            - 'Remove-FileShare'
    condition: selection
 falsepositives:
    - Administrators or Power users may remove their shares via cmd line
@@ -5,7 +5,7 @@ description: |
    Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
    Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos
 author: frack113
 date: 2021/12/27
 logsource:
@@ -15,9 +15,9 @@ logsource:
 detection:
    selection:
        ScriptBlockText|contains:
-           - 'System.DirectoryServices.Protocols.LdapDirectoryIdentifier'
-           - 'System.Net.NetworkCredential'
-           - 'System.DirectoryServices.Protocols.LdapConnection'
+            - 'System.DirectoryServices.Protocols.LdapDirectoryIdentifier'
+            - 'System.Net.NetworkCredential'
+            - 'System.DirectoryServices.Protocols.LdapConnection'
    condition: selection
 falsepositives:
    - Unknown
@@ -2,7 +2,7 @@ title: Suspicious New-PSDrive to Admin Share
 id: 1c563233-030e-4a07-af8c-ee0490a66d3a
 description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2
 status: experimental
 author: frack113
@@ -26,4 +26,4 @@ falsepositives:
 level: medium
 tags:
    - attack.lateral_movement
-    - attack.t1021.002
+    - attack.t1021.002
@@ -6,7 +6,7 @@ date: 2021/07/30
 modified: 2021/12/02
 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md
 tags:
    - attack.collection
    - attack.t1119
@@ -4,10 +4,10 @@ status: experimental
 author: frack113
 date: 2021/12/26
 description: |
-  Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
-  Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. 
+    Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
+    Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group
 logsource:
    product: windows
    category: ps_script
@@ -17,7 +17,7 @@ detection:
        ScriptBlockText|contains|all:
            - 'Remove-ADGroupMember'
            - '-Identity '
-            - '-Members ' 
+            - '-Members '
    condition: selection
 falsepositives:
    - Unknown
@@ -25,4 +25,3 @@ level: medium
 tags:
    - attack.impact
    - attack.t1531
-
@@ -1,11 +1,10 @@
 title: Suspicious Get Information for SMB Share
 id: 95f0643a-ed40-467c-806b-aac9542ec5ab
 description: |
-  Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and
-  to identify potential systems of interest for Lateral Movement.
-  Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. 
+    Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement.
+    Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
 status: experimental
 author: frack113
 date: 2021/12/15
@@ -22,4 +21,4 @@ falsepositives:
 level: low
 tags:
    - attack.discovery
-    - attack.t1069.001
+    - attack.t1069.001
@@ -3,7 +3,7 @@ id: 195626f3-5f1b-4403-93b7-e6cfd4d6a078
 status: experimental
 description: Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md#atomic-test-1---openssl-c2
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2
    - https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926
 author: frack113
 date: 2022/01/23
@@ -19,8 +19,8 @@ detection:
            - '.AuthenticateAsClient'
    condition: selection
 falsepositives:
-  - Legitimate administrative script
+    - Legitimate administrative script
 level: low
 tags:
-  - attack.command_and_control
-  - attack.t1573
+    - attack.command_and_control
+    - attack.t1573
@@ -4,7 +4,7 @@ status: experimental
 description: Powershell use PassThru option to start in background
 author: frack113
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7
 date: 2022/01/15
 logsource:
@@ -5,7 +5,7 @@ description: Remove the Zone.Identifier alternate data stream which identifies t
 date: 2022/02/01
 author: frack113
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2
 logsource:
    product: windows
@@ -7,7 +7,7 @@ description: |
    An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users.
    This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md
 logsource:
    product: windows
    category: ps_script
@@ -17,7 +17,7 @@ detection:
        ScriptBlockText|contains|all:
            - 'Get-ItemProperty'
            - 'Registry::'
-            - 'HKEY_CURRENT_USER\Control Panel\Desktop\' 
+            - 'HKEY_CURRENT_USER\Control Panel\Desktop\'
            - 'WallPaper'
    selection_2:
        ScriptBlockText|contains: SystemParametersInfo(20,0,*,3)
@@ -28,4 +28,3 @@ level: low
 tags:
    - attack.impact
    - attack.t1491.001
-
@@ -4,9 +4,9 @@ status: experimental
 author: frack113
 date: 2021/08/23
 modified: 2021/10/16
-description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. 
+description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md
 tags:
    - attack.discovery
    - attack.t1120
@@ -20,4 +20,4 @@ detection:
    condition: selection
 falsepositives:
    - Admin script
-level: low
+level: low
@@ -5,7 +5,7 @@ author: frack113
 date: 2021/12/26
 description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell
 logsource:
    product: windows
    category: ps_script
@@ -15,7 +15,7 @@ detection:
        ScriptBlockText|contains|all:
            - 'Get-WmiObject'
            - 'Win32_Shadowcopy'
-            - '.Delete()' 
+            - '.Delete()'
    condition: selection
 falsepositives:
    - Unknown
@@ -1,9 +1,9 @@
 title: Suspicious PowerShell WindowStyle Option
 id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c
 status: experimental
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md
 description: Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md
 tags:
    - attack.defense_evasion
    - attack.t1564.003
@@ -22,4 +22,4 @@ detection:
    condition: selection
 falsepositives:
    - Unknown
-level: medium
+level: medium
@@ -6,7 +6,7 @@ date: 2021/07/20
 modified: 2021/10/16
 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
 tags:
    - attack.collection
    - attack.t1074.001
@@ -7,7 +7,7 @@ status: experimental
 description: Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow.
 author: frack113, elhoim
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md
    - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps
    - https://bidouillesecurity.com/disable-windows-defender-in-powershell/
 date: 2022/01/16
@@ -5,7 +5,7 @@ description: |
  Adversaries may communicate using a protocol and port paring that are typically not associated.
  For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell
    - https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps
 author: frack113
 date: 2022/01/23
@@ -25,8 +25,8 @@ detection:
            - ' 80 '
    condition: selection and not filter
 falsepositives:
-  - Legitimate administrative script
+    - Legitimate administrative script
 level: medium
 tags:
-  - attack.command_and_control
-  - attack.t1571
+    - attack.command_and_control
+    - attack.t1571
@@ -4,9 +4,9 @@ status: experimental
 author: frack113
 date: 2021/08/03
 modified: 2021/10/16
-description: Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. 
+description: Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md
    - https://www.offensive-security.com/metasploit-unleashed/timestomp/
 tags:
    - attack.defense_evasion
@@ -6,7 +6,7 @@ date: 2021/08/18
 modified: 2021/10/16
 description: Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md
 tags:
    - attack.privilege_escalation
    - attack.t1546.013
@@ -26,4 +26,4 @@ detection:
    condition: selection
 falsepositives:
    - Unknown
-level: medium
+level: medium
@@ -3,7 +3,7 @@ id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
 status: experimental
 description: Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md
    - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2
 author: frack113
@@ -5,7 +5,7 @@ description: Detects the execution of an MSI file using PowerShell and the WMI W
 author: frack113
 date: 2022/04/24
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
 logsource:
    product: windows
    category: ps_script
@@ -6,8 +6,8 @@ date: 2021/08/19
 modified: 2021/10/16
 description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md
-    - https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md
+    - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545
 tags:
    - attack.privilege_escalation
    - attack.t1546.003
@@ -30,4 +30,4 @@ detection:
    condition: selection_ioc
 falsepositives:
    - Unknown
-level: medium
+level: medium