fix:F multiple 404 links in references (SigmaHQ#4332)

ryanplasma · web-flow · commit cda0fbff62ce · 2023-06-26T10:10:04.000+01:00
diff --git a/deprecated/windows/sysmon_mimikatz_detection_lsass.yml b/deprecated/windows/sysmon_mimikatz_detection_lsass.yml
@@ -5,7 +5,7 @@ description: Detects process access to LSASS which is typical for Mimikatz (0x10
     versions", 0x0010 PROCESS_VM_READ)
 references:
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
-    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
 tags:
     - attack.t1003
     - attack.s0002
diff --git a/rules/application/spring/spring_application_exceptions.yml b/rules/application/spring/spring_application_exceptions.yml
@@ -3,7 +3,7 @@ id: ae48ab93-45f7-4051-9dfe-5d30a3f78e33
 status: stable
 description: Detects suspicious Spring framework exceptions that could indicate exploitation attempts
 references:
-    - https://docs.spring.io/spring-security/site/docs/current/apidocs/overview-tree.html
+    - https://docs.spring.io/spring-security/site/docs/current/api/overview-tree.html
 author: Thomas Patzke
 date: 2017/08/06
 modified: 2020/09/01
diff --git a/rules/linux/builtin/lnx_shell_clear_cmd_history.yml b/rules/linux/builtin/lnx_shell_clear_cmd_history.yml
@@ -4,7 +4,7 @@ status: test
 description: Clear command history in linux which is used for defense evasion.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.003/T1070.003.md
-    - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics
+    - https://www.hackers-arise.com/post/2016/06/20/covering-your-bash-shell-tracks-antiforensics
 author: Patrick Bareiss
 date: 2019/03/24
 modified: 2022/12/25
diff --git a/rules/linux/builtin/lnx_shell_susp_commands.yml b/rules/linux/builtin/lnx_shell_susp_commands.yml
@@ -3,7 +3,7 @@ id: 2aa1440c-9ae9-4d92-84a7-a9e5f5e31695
 status: test
 description: Detects suspicious shell commands used in various exploit codes (see references)
 references:
-    - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
+    - https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html
     - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
     - http://pastebin.com/FtygZ1cg
     - https://artkond.com/2017/03/23/pivoting-guide/
diff --git a/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml b/rules/windows/builtin/security/account_management/win_security_overpass_the_hash.yml
@@ -3,7 +3,7 @@ id: 192a0330-c20b-4356-90b6-7b7049ae0b87
 status: test
 description: Detects successful logon with logon type 9 (NewCredentials) which matches the Overpass the Hash behavior of e.g Mimikatz's sekurlsa::pth module.
 references:
-    - https://cyberwardog.blogspot.de/2017/04/chronicles-of-threat-hunter-hunting-for.html
+    - https://web.archive.org/web/20220419045003/https://cyberwardog.blogspot.com/2017/04/chronicles-of-threat-hunter-hunting-for.html
 author: Roberto Rodriguez (source), Dominik Schaudel (rule)
 date: 2018/02/12
 modified: 2021/11/27
diff --git a/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml b/rules/windows/builtin/security/win_security_alert_active_directory_user_control.yml
@@ -3,7 +3,7 @@ id: 311b6ce2-7890-4383-a8c2-663a9f6b43cd
 status: test
 description: Detects scenario where if a user is assigned the SeEnableDelegationPrivilege right in Active Directory it would allow control of other AD user objects.
 references:
-    - https://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
+    - https://blog.harmj0y.net/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/
 author: '@neu5ron'
 date: 2017/07/30
 modified: 2021/12/02
diff --git a/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml b/rules/windows/builtin/security/win_security_alert_ad_user_backdoors.yml
@@ -5,7 +5,7 @@ description: Detects scenarios where one can control another users or computers
 references:
     - https://msdn.microsoft.com/en-us/library/cc220234.aspx
     - https://adsecurity.org/?p=3466
-    - https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
+    - https://blog.harmj0y.net/redteaming/another-word-on-delegation/
 author: '@neu5ron'
 date: 2017/04/13
 modified: 2021/11/27
diff --git a/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml b/rules/windows/builtin/security/win_security_alert_enable_weak_encryption.yml
@@ -4,7 +4,7 @@ status: test
 description: Detects scenario where weak encryption is enabled for a user profile which could be used for hash/password cracking.
 references:
     - https://adsecurity.org/?p=2053
-    - https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
+    - https://blog.harmj0y.net/redteaming/another-word-on-delegation/
 author: '@neu5ron'
 date: 2017/07/30
 modified: 2021/11/27
diff --git a/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml b/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml
@@ -4,7 +4,7 @@ status: test
 description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
 references:
     - https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml
-    - https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file
+    - https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file
 author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
 date: 2020/08/06
 modified: 2021/11/27
diff --git a/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml
@@ -3,7 +3,7 @@ id: 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76
 status: experimental
 description: Detects process handle on LSASS process with certain access mask
 references:
-    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
 author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update)
 date: 2019/11/01
diff --git a/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml b/rules/windows/file/file_access/file_access_win_dpapi_master_key_access.yml
@@ -5,7 +5,7 @@ description: |
   Detects suspicious processes based on name and location that access the Windows Data Protection API Master keys.
   Which can be a sign of credential stealing. Example case would be usage of mimikatz "dpapi::masterkey" function
 references:
-    - https://web.archive.org/web/20181130065817/http://www.harmj0y.net/blog/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
+    - http://blog.harmj0y.net/redteaming/operational-guidance-for-offensive-user-dpapi-abuse/
     - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/10/17
diff --git a/rules/windows/image_load/image_load_susp_uncommon_image_load.yml b/rules/windows/image_load/image_load_susp_uncommon_image_load.yml
@@ -3,7 +3,7 @@ id: e32ce4f5-46c6-4c47-ba69-5de3c9193cd7
 status: test
 description: Detects Loading of samlib.dll, WinSCard.dll from untypical process e.g. through process hollowing by Mimikatz
 references:
-    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
+    - https://web.archive.org/web/20220815065318/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html
 author: Markus Neis
 date: 2018/01/07
 modified: 2021/11/27
diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml
@@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
 status: experimental
 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.
 references:
-    - https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html
+    - https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password
     - https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
diff --git a/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml b/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml
@@ -3,7 +3,7 @@ id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32
 status: test
 description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc).
 references:
-    - https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html
+    - https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html
     - https://twitter.com/dez_/status/986614411711442944
     - https://lolbas-project.github.io/lolbas/Binaries/Wmic/
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
diff --git a/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml b/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml
@@ -5,7 +5,7 @@ description: Detects the creation of a named pipe used by known APT malware
 references:
     - https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/
     - https://securelist.com/faq-the-projectsauron-apt/75533/
-    - https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
+    - https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
     - https://www.us-cert.gov/ncas/alerts/TA17-117A
     - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
     - https://thedfirreport.com/2020/06/21/snatch-ransomware/
diff --git a/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml b/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml
@@ -6,7 +6,7 @@ related:
 status: experimental
 description: Detects the execution of the hacktool Rubeus using specific command line flags
 references:
-    - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
+    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
     - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
     - https://github.com/GhostPack/Rubeus
 author: Christian Burkard (Nextron Systems), Florian Roth (Nextron Systems)
diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml
@@ -4,7 +4,7 @@ status: experimental
 description: Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools
 references:
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
-    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
     - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community
diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml
@@ -4,7 +4,7 @@ status: experimental
 description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.
 references:
     - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html
-    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md
     - https://research.splunk.com/endpoint/windows_possible_credential_dumping/
 author: Samir Bousseaden, Michael Haag
diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml
@@ -8,7 +8,7 @@ description: Detects process access to LSASS memory with suspicious access flags
 references:
     - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
-    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
     - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 author: Florian Roth (Nextron Systems)
diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml
@@ -8,7 +8,7 @@ description: Detects process access to LSASS memory with suspicious access flags
 references:
     - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
-    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
     - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 author: Florian Roth (Nextron Systems)
diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml
@@ -5,7 +5,7 @@ description: Detects process access to LSASS memory with suspicious access flags
 references:
     - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights
     - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow
-    - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
+    - https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html
     - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
     - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf
 author: Florian Roth (Nextron Systems)
diff --git a/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml b/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml
@@ -6,7 +6,7 @@ related:
 status: stable
 description: Detects the execution of the hacktool Rubeus via PE information of command line parameters
 references:
-    - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
+    - https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus
     - https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
     - https://github.com/GhostPack/Rubeus
 author: Florian Roth (Nextron Systems)
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml
@@ -3,7 +3,7 @@ id: eee00933-a761-4cd0-be70-c42fe91731e7
 status: test
 description: Detects when GfxDownloadWrapper.exe downloads file from non standard URL
 references:
-    - https://lolbas-project.github.io/lolbas/Binaries/GfxDownloadWrapper/
+    - https://lolbas-project.github.io/lolbas/HonorableMentions/GfxDownloadWrapper/
 author: Victor Sergeev, oscd.community
 date: 2020/10/09
 modified: 2022/01/06
diff --git a/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml b/rules/windows/process_creation/proc_creation_win_psr_capture_screenshots.yml
@@ -4,7 +4,7 @@ status: test
 description: The psr.exe captures desktop screenshots and saves them on the local machine
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Psr/
-    - https://www.sans.org/summit-archives/file/summit-archive-1493861893.pdf
+    - https://web.archive.org/web/20200229201156/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1493861893.pdf
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md
 author: Beyu Denis, oscd.community
 date: 2019/10/12
diff --git a/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml b/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml
@@ -5,7 +5,7 @@ description: Adversaries may attempt to get a listing of other systems by IP add
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
     - https://ss64.com/nt/for.html
-    - https://ss64.com/ps/foreach-object.htmll
+    - https://ss64.com/ps/foreach-object.html
 author: frack113
 date: 2022/03/12
 tags:
