From df015e555ccc3fe07d8131b51bc46f964d5dac5e Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Fri, 23 Dec 2022 13:22:50 +0100
Subject: [PATCH] Add more ref

---
 .../powershell/powershell_script/posh_ps_x509enrollment.yml      | 1 +
 .../process_creation/proc_creation_win_x509enrollment.yml        | 1 +
 2 files changed, 2 insertions(+)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml
index 46b705b72..223b3637b 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml
@@ -7,6 +7,7 @@ status: experimental
 description: Detect use of X509Enrollment
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
+    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
     - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
 author: frack113
 date: 2022/12/23
diff --git a/rules/windows/process_creation/proc_creation_win_x509enrollment.yml b/rules/windows/process_creation/proc_creation_win_x509enrollment.yml
index cff0a1082..d941ae9fe 100644
--- a/rules/windows/process_creation/proc_creation_win_x509enrollment.yml
+++ b/rules/windows/process_creation/proc_creation_win_x509enrollment.yml
@@ -7,6 +7,7 @@ status: experimental
 description: Detect use of X509Enrollment
 references:
     - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42
+    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41
     - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115
 author: frack113
 date: 2022/12/23