Update ref

SigmaHQ · Aug 19, 2022 · f88d2be · f88d2be
1 parent 0938659
commit f88d2be
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 8 deletions.
diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml
@@ -1,9 +1,9 @@
-title: Reg Add Suspicious Path 
+title: Reg Add Suspicious Path To AppDataLow
 id: b7e2a8d4-74bb-4b78-adc9-3f92af2d4829
 status: experimental
-description: An adversary may use many registry path with reg.exe 
+description: Detects when an adversary uses the 'AppDataLow' subkeys as a place to store data as seen in the URSNIF phishing campaign
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-40---ursnif-malware-registry-key-creation
+    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
 author: frack113
 date: 2022/08/19
 logsource:

diff --git a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml
@@ -5,7 +5,7 @@ author: frack113
 date: 2022/08/19
 status: experimental
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-38---allow-rdp-remote-assistance-feature
+    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
 logsource:
     category: registry_set
     product: windows

diff --git a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml
@@ -5,7 +5,7 @@ author: frack113
 date: 2022/08/19
 status: experimental
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-36---disable-windows-security-center-notifications
+    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
 logsource:
     category: registry_set
     product: windows

diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml
@@ -5,7 +5,7 @@ author: frack113
 date: 2022/08/19
 status: experimental
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-16---lockbit-black---unusual-windows-firewall-registry-modification--cmd
+    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md
 logsource:
     category: registry_set
     product: windows

diff --git a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml
@@ -5,7 +5,7 @@ author: frack113
 date: 2022/08/19
 status: experimental
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-43---disallowrun-execution-of-certain-application
+    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
 logsource:
     category: registry_set
     product: windows

diff --git a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml
@@ -5,7 +5,7 @@ author: frack113
 date: 2022/08/19
 status: experimental
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-37---suppress-win-defender-notifications
+    - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
 logsource:
     category: registry_set
     product: windows