diff --git a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml
index 46b705b72..223b3637b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml
@@ -7,6 +7,7 @@ status: experimental
 description: Detect use of X509Enrollment
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
+    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
     - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
 author: frack113
 date: 2022/12/23
diff --git a/rules/windows/process_creation/proc_creation_win_x509enrollment.yml b/rules/windows/process_creation/proc_creation_win_x509enrollment.yml
index cff0a1082..d941ae9fe 100644
--- a/rules/windows/process_creation/proc_creation_win_x509enrollment.yml
+++ b/rules/windows/process_creation/proc_creation_win_x509enrollment.yml
@@ -7,6 +7,7 @@ status: experimental
 description: Detect use of X509Enrollment
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
+    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
     - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
 author: frack113
 date: 2022/12/23