From c2a16591af4f39de8317f71b5f7de2228600d71a Mon Sep 17 00:00:00 2001
From: megan201296 <megansroddie@gmail.com>
Date: Thu, 7 Mar 2019 14:22:29 -0600
Subject: [PATCH] Remove invalid link

Cybereason link was broken. Couldn't find anything with a super similar file path. The below link might be a valid replacement but went better safe than sorry and just removed it completely. https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part1.pdf
---
 rules/windows/process_creation/win_office_shell.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml
index d9c2f6080..3704cfdb2 100644
--- a/rules/windows/process_creation/win_office_shell.yml
+++ b/rules/windows/process_creation/win_office_shell.yml
@@ -4,7 +4,6 @@ description: Detects a Windows command line executable started from Microsoft Wo
 references:
     - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
     - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
-    - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle
 tags:
     - attack.execution
     - attack.defense_evasion