From 7ebd41119087734bb69350637ab43834d77f148f Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Fri, 20 Aug 2021 14:22:17 +0200
Subject: [PATCH] update ref from conti_leak

---
 rules/windows/builtin/win_software_discovery.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/windows/builtin/win_software_discovery.yml b/rules/windows/builtin/win_software_discovery.yml
index d1c815ee1..b68643c66 100644
--- a/rules/windows/builtin/win_software_discovery.yml
+++ b/rules/windows/builtin/win_software_discovery.yml
@@ -7,6 +7,7 @@ author: Nikita Nazarov, oscd.community
 date: 2020/10/16
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md
+    - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna
 tags:
     - attack.discovery
     - attack.t1518
@@ -19,6 +20,7 @@ detection:
 logsource:
     product: windows
     service: powershell
+    definition: 'Script block logging must be enabled'
 detection:
     selection:
         EventID: 4104