Merge pull request #3486 from splunk/shadow_single

pyth0n1c · web-flow · commit 4c1dbbb3acb4 · 2025-04-22T13:51:59.000-07:00
Update attack data - Delete ShadowCopy With PowerShell
diff --git a/detections/endpoint/delete_shadowcopy_with_powershell.yml b/detections/endpoint/delete_shadowcopy_with_powershell.yml
@@ -70,6 +70,6 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/single_event_delete_shadowcopy.log
     source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
     sourcetype: XmlWinEventLog
