From aecd8f33de0cb1a9d096b0727b28ce80f0e79a85 Mon Sep 17 00:00:00 2001
From: Detections <Detections@thedfirreport.com>
Date: Sun, 26 Jan 2025 18:05:23 -0800
Subject: [PATCH] Added DFIR Report references

---
 .../file_event/file_event_win_public_folder_payloads.yml    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/file/file_event/file_event_win_public_folder_payloads.yml b/rules/windows/file/file_event/file_event_win_public_folder_payloads.yml
index aa4aff4dd2a..d54aebcb1a1 100644
--- a/rules/windows/file/file_event/file_event_win_public_folder_payloads.yml
+++ b/rules/windows/file/file_event/file_event_win_public_folder_payloads.yml
@@ -3,9 +3,9 @@ id: b447f7de-1e53-4cbf-bfb4-f1f6d0b04e4e
 status: experimental
 description: Detects payloads dropped in public folders, which could indicate malicious activity.
 references:
-  - https://intel.thedfirreport.com/events/view/30032
-  - https://intel.thedfirreport.com/eventReports/view/70
-  - https://thedfirreport.com/2025/...TBD
+  - https://intel.thedfirreport.com/events/view/30032 (Private Report)
+  - https://intel.thedfirreport.com/eventReports/view/70 (Private Report)
+  - https://thedfirreport.com/2025/01/27/cobalt-strike-and-a-pair-of-socks-lead-to-lockbit-ransomware/
 author: 'The DFIR Report'
 date: 2025-01-23
 tags: