Format markdown files

docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-DNS.md

@@ -16,8 +16,8 @@ The query tries to detect suspicious DNS queries known from Cobalt Strike beacon
 CobaltStrike
 
 **Reference:**\
-https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/network/dns/net_dns_mal_cobaltstrike.yml#L4\
-https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/\
+https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/network/dns/net_dns_mal_cobaltstrike.yml#L4%5C
+https://blog.sekoia.io/hunting-and-detecting-cobalt-strike/%5C
 https://blog.gigamon.com/2017/07/26/footprints-of-fin7-tracking-actor-patterns-part-1/
 
 #### ATT&CK TACTICS<br>

docs/guidelines/TTP_Hunt/ADS_forms/S0154-CobaltStrike-NamedPipe.md

@@ -13,12 +13,12 @@ CobaltStrike uses named pipes for communication between processes. Default beaco
 CobaltStrike
 
 **Reference:**\
-https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml#L4\
-https://twitter.com/d4rksystem/status/1357010969264873472\
-https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/\
-https://github.com/SigmaHQ/sigma/issues/253\
-https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/\
-https://redcanary.com/threat-detection-report/threats/cobalt-strike/\
+https://github.com/SigmaHQ/sigma/blob/dcfb4c5c28431dcdc1d26ed4e008945965afd8ed/rules/windows/pipe_created/pipe_created_mal_cobaltstrike.yml#L4%5C
+https://twitter.com/d4rksystem/status/1357010969264873472%5C
+https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/%5C
+https://github.com/SigmaHQ/sigma/issues/253%5C
+https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/%5C
+https://redcanary.com/threat-detection-report/threats/cobalt-strike/%5C
 https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Command%20and%20Control/C2-NamedPipe.yaml
 
 #### ATT&CK TACTICS<br>

docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-DirCommand.md

@@ -12,9 +12,9 @@ Actor may use Impacket’s wmiexec, which redirects output to a file within the
 Volt Typhoon activity
 
 **Reference:**\
-https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\
-https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\
-https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a\
+https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection%5C
+https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/%5C
+https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a%5C
 https://github.com/Azure/Azure-Sentinel/blob/3833100de05ce61d6972c43dd5af7b9706e4674c/Solutions/Windows%20Security%20Events/Hunting%20Queries/CommandsexecutedbyWMIonnewhosts-potentialImpacket.yaml#L21
 
 #### ATT&CK TACTICS<br>

docs/guidelines/TTP_Hunt/ADS_forms/S0357-Impacket-SecretdumpSMB2.md

@@ -12,9 +12,9 @@ Actor may use Impacket’s wmiexec, which redirects output to a file within the
 Volt Typhoon activity
 
 **Reference:**\
-https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\
-https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/\
-https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a\
+https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection%5C
+https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/%5C
+https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a%5C
 https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Attacker%20Tools%20Threat%20Protection%20Essentials/Hunting%20Queries/PotentialImpacketExecution.yaml
 
 #### ATT&CK TACTICS<br>

docs/guidelines/TTP_Hunt/ADS_forms/S0552-ADFind-Execution.md

@@ -22,9 +22,9 @@ Detects the use of Adfind. AdFind continues to be seen across majority of breach
 Common tool
 
 **Reference:**\
-https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml\
+https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml%5C
 https://github.com/SigmaHQ/sigma/blob/b9c0dd661eac6b6efdb47f7cfcbb20b5a5c169da/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml
-https://thedfirreport.com/2020/05/08/adfind-recon/\
+https://thedfirreport.com/2020/05/08/adfind-recon/%5C
 https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
 
 #### ATT&CK TACTICS  <br />

docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-DefenderExclusions.md

@@ -13,7 +13,7 @@ Qbot used reg.exe to add Defender folder exceptions for folders within AppData a
 Malware
 
 **Reference**\
-https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml#L4\
+https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml#L4%5C
 https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/
 
 #### ATT&CK TACTICS

docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-Post-compromise-commands.md

@@ -12,8 +12,8 @@ nslookup -querytype=ALL -timeout=12 \_ldap.\_tcp.dc.\_msdcs.\<domain_fqdn>
 Malware
 
 **Reference**\
-https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/22cf7b2e0ef909e3f8ba1b39e2a8e897b6f49fb5/Defender%20For%20Endpoint/QakbotPostCompromiseCommandsExecuted.md?plain=1\
-https://github.com/Azure/Azure-Sentinel/blob/2030f55a46b18e9d9723b06557d0653f38e21724/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/Qakbot/Qakbot%20reconnaissance%20activities.yaml#L2\
+https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/22cf7b2e0ef909e3f8ba1b39e2a8e897b6f49fb5/Defender%20For%20Endpoint/QakbotPostCompromiseCommandsExecuted.md?plain=1%5C
+https://github.com/Azure/Azure-Sentinel/blob/2030f55a46b18e9d9723b06557d0653f38e21724/Hunting%20Queries/Microsoft%20365%20Defender/Campaigns/Qakbot/Qakbot%20reconnaissance%20activities.yaml#L2%5C
 https://www.trendmicro.com/en_au/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
 
 #### ATT&CK TACTICS <br />

docs/guidelines/TTP_Hunt/ADS_forms/S0650-Qakbot-ProcessExecution.md

@@ -12,7 +12,7 @@ Detects potential QBot activity by looking for process executions used previousl
 Malware
 
 **Reference**\
-https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml#L4\
+https://github.com/SigmaHQ/sigma/blob/4de6102dc7d94c9ee70995aeea27b77184d62c35/rules-emerging-threats/2019/Malware/QBot/proc_creation_win_malware_qbot.yml#L4%5C
 https://www.trendmicro.com/en_au/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html
 
 #### ATT&CK TACTICS

docs/guidelines/TTP_Hunt/ADS_forms/T1003.001-OSCredentialDumping-LSASSMemory.md

@@ -14,9 +14,9 @@ Volt Typhoon activity
 
 ### Reference:
 
-https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/\
-https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\
-https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/SuspectedLSASSDump.yaml\
+https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/%5C
+https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection%5C
+https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Hunting%20Queries/SuspectedLSASSDump.yaml%5C
 https://docs.microsoft.com/sysinternals/downloads/procdump
 
 #### ATT&CK TACTICS

docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-Exfiltratentds.dit.md

@@ -13,9 +13,9 @@ Volt Typhoon activity
 
 ### Reference:
 
-https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/\
-https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\
-https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on\
+https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/%5C
+https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection%5C
+https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on%5C
 https://docs.microsoft.com/sysinternals/downloads/procdump
 
 #### ATT&CK TACTICS

docs/guidelines/TTP_Hunt/ADS_forms/T1003.003-OSCredentialDumping-NTDSusingTools.md

@@ -13,9 +13,9 @@ Volt Typhoon activity
 
 ### Reference:
 
-https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/\
-https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection\
-https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on\
+https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-preventing-lsass-credential-dumping-attacks/%5C
+https://www.cyber.gov.au/about-us/advisories/prc-state-sponsored-cyber-actor-living-off-the-land-to-evade-detection%5C
+https://risksense.com/blog/hidden-gems-in-windows-the-hunt-is-on%5C
 https://docs.microsoft.com/sysinternals/downloads/procdump
 
 #### ATT&CK TACTICS

docs/guidelines/TTP_Hunt/ADS_forms/T1016-Info-stealer-tool-Grixba.md

@@ -12,8 +12,8 @@ Imageload log containing file name costura.commandline.dll which is used by Grix
 Play ransomware
 
 **Reference:**\
-https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a\
-https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy\
+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a%5C
+https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/play-ransomware-volume-shadow-copy%5C
 https://www.bleepingcomputer.com/news/security/play-ransomware-gang-uses-custom-shadow-volume-copy-data-theft-tool/
 
 #### ATT&CK TACTICS <br />

docs/guidelines/TTP_Hunt/ADS_forms/T1547.001-Potential-Persistence-Attempt-Via-Run-Keys-Using-Reg.EXE.md

@@ -11,7 +11,7 @@ REG  ADD "HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /V "softoz" /
 common persistance
 
 **Reference:**\
-https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml#L22\
+https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml#L22%5C
 https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
 
 #### ATT&CK TACTICS <br />

docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-Defender-Functionalities-Via-Registry-Keys.md

@@ -13,7 +13,7 @@ Detects when attackers or tools disable Windows Defender functionalities via the
 Ransomware
 
 **Reference:**\
-https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml#L42\
+https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml#L42%5C
 https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::DisableAntiSpyware
 
 #### ATT&CK TACTICS    <br />

docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Disable-or-Modify-Tools-Potential-PowerShell-Downgrade-Attack.md

@@ -12,7 +12,7 @@ Detects command execution and arguments associated with disabling or modificatio
 N/A
 
 **Reference:**
-https://github.com/SigmaHQ/sigma/blob/6eaba7e37ebb17541991c99a764ccb6866696bc6/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml\
+https://github.com/SigmaHQ/sigma/blob/6eaba7e37ebb17541991c99a764ccb6866696bc6/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml%5C
 https://www.leeholmes.com/detecting-and-preventing-powershell-downgrade-attacks/
 
 #### ATT&CK TACTICS  <br />

docs/guidelines/TTP_Hunt/ADS_forms/T1562.001-Impair-Defenses-Removal-Of-AMSI-Provider-Registry-Keys.md

@@ -14,8 +14,8 @@ Ransomware\
 Persistence
 
 **Reference:**\
-https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml\
-https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md\
+https://github.com/SigmaHQ/sigma/blob/8d28609c041867e1cea7821900e43c0106e6c766/rules/windows/registry/registry_delete/registry_delete_removal_amsi_registry_key.yml%5C
+https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md%5C
 https://seclists.org/fulldisclosure/2020/Mar/45
 
 #### ATT&CK TACTICS

docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-Windows-Logging-using-wevtutil.md

@@ -12,7 +12,7 @@ wevtutil /e:false	// Disables a log
 Ransomware
 
 **Reference:**\
-https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\
+https://www.microsoft.com/en-us/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/%5C
 https://github.com/Azure/Azure-Sentinel/blob/c6dce9c3aa4d4b4d02423ac4eb5a6b677a39e432/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/Clearing%20of%20forensic%20evidence%20from%20event%20logs%20using%20wevtutil.yaml
 
 #### ATT&CK TACTICS  <br />

docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-Disable-WindowsLoggingMiniNT.md

@@ -12,7 +12,7 @@ Detects the addition of the MiniNT registry key in HKEY_LOCAL_MACHINE\\SYSTEM\\C
 N/A
 
 **Reference:**\
-https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml\
+https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/registry/registry_event/registry_event_disable_security_events_logging_adding_reg_key_minint.yml%5C
 https://twitter.com/0gtweet/status/1182516740955226112
 
 #### ATT&CK TACTICS

docs/guidelines/TTP_Hunt/ADS_forms/T1562.002-Impair-Defenses-DisableWindowsLoggingonEventID.md

@@ -11,8 +11,8 @@ N/A
 Log clearing
 
 **Reference:**\
-https://www.microsoft.com/en-us/security/blog/2020/04/01/microsoft-works-with-healthcare-organizations-to-protect-from-popular-ransomware-during-covid-19-crisis-heres-what-to-do/\
-https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/builtin/security/win_security_event_log_cleared.yml#L4\
+https://www.microsoft.com/en-us/security/blog/2020/04/01/microsoft-works-with-healthcare-organizations-to-protect-from-popular-ransomware-during-covid-19-crisis-heres-what-to-do/%5C
+https://github.com/SigmaHQ/sigma/blob/cac07b8ecd07ffe729ed82dfa2082fdb6a1ceabc/rules/windows/builtin/security/win_security_event_log_cleared.yml#L4%5C
 https://lantern.splunk.com/Splunk_Platform/UCE/Security/Threat_Hunting/Detecting_a_ransomware_attack/Windows_event_log_cleared
 
 #### ATT&CK TACTICS

docs/guidelines/TTP_Hunt/ADS_forms/T1574.002-Diamond-Sleet-APT-Process-Activity-Indicators.md

@@ -12,7 +12,7 @@ Detects process creation activity indicators related to Diamond Sleet APT
 Diamond Sleet
 
 **Reference:**
-https://github.com/SigmaHQ/sigma/blob/7509f6ab6bc32e7bca66fc638363a92dfbf0449d/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml\
+https://github.com/SigmaHQ/sigma/blob/7509f6ab6bc32e7bca66fc638363a92dfbf0449d/rules-emerging-threats/2023/TA/Diamond-Sleet/proc_creation_win_apt_diamond_sleet_indicators.yml%5C
 https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/
 
 #### ATT&CK TACTICS  <br />