diff --git a/rules/windows/process_creation/proc_creation_win_renamed_binary.yml b/rules/windows/process_creation/proc_creation_win_renamed_binary.yml
index 82a6a4bfe..34fcffbb0 100644
--- a/rules/windows/process_creation/proc_creation_win_renamed_binary.yml
+++ b/rules/windows/process_creation/proc_creation_win_renamed_binary.yml
@@ -8,6 +8,7 @@ description: Detects the execution of a renamed binary often used by attackers o
 references:
     - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html
     - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html
+    - https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process
 author: Matthew Green @mgreen27, Ecco, James Pemberton @4A616D6573, oscd.community, Andreas Hunkeler (@Karneades)
 date: 2019/06/15
 modified: 2023/01/18