Clean up artifact references (Velocidex#2111)

artifacts/definitions/Linux/Ssh/PrivateKeys.yaml

@@ -22,10 +22,8 @@ description: |
   Change the glob to /** if you would like to search the entire filesystem.
   Be aware, this is an expensive operation.
 
-  ## references
-  - https://attack.mitre.org/techniques/T1145/
-
 reference:
+  - https://attack.mitre.org/techniques/T1145/
   - https://coolaj86.com/articles/the-openssh-private-key-format/
   - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
 

artifacts/definitions/Linux/Sys/SUID.yaml

@@ -21,7 +21,7 @@ description: |
   own malware to make sure they're able to execute in elevated
   contexts in the future [2].
 
-  ## References:
+reference:
   - https://attack.mitre.org/techniques/T1166/
 
 parameters:

artifacts/definitions/MacOS/Applications/MRU.yaml

@@ -2,10 +2,10 @@ name: MacOS.Applications.MRU
 description: |
    Parse the MRU from MacOS users
 
-   ### references
-   * https://mac-alias.readthedocs.io/en/latest/bookmark_fmt.html
-   * https://github.com/al45tair/mac_alias
-   * https://www.mac4n6.com/blog/2016/7/10/new-script-macmru-most-recently-used-plist-parser
+reference:
+  - https://mac-alias.readthedocs.io/en/latest/bookmark_fmt.html
+  - https://github.com/al45tair/mac_alias
+  - https://www.mac4n6.com/blog/2016/7/10/new-script-macmru-most-recently-used-plist-parser
 
 type: CLIENT
 

artifacts/definitions/MacOS/System/Dock.yaml

@@ -9,10 +9,9 @@ description: |
    have tampered with an entry, or if an entry has been added to
    emulate a legitimate application.
 
-  **ATT&CK**: [T1547.009/T1547.011 - Shortcut modification/Plist modification](https://attack.mitre.org/techniques/T1547/)
-
 reference:
   - https://specterops.io/so-con2020/event-758922
+  - ATT&CK T1547.009/T1547.011 - Shortcut modification/Plist modification - https://attack.mitre.org/techniques/T1547/
 
 author: Wes Lambert - @therealwlambert
 

artifacts/definitions/Server/Enrichment/CortexAnalyzer.yaml

@@ -1,16 +1,15 @@
 name: Server.Enrichment.CortexAnalyzer
 description: |
+  Run Cortex analyzer jobs across all enabled and applicable analyzers (based on supported analyzer data types), then retrieve the results.
 
+  This artifact can be called from within another artifact (such as one looking for files) to enrich the data made available by that artifact.
 
-   **Description**: Run Cortex analyzer jobs across all enabled and applicable analyzers (based on supported analyzer data types), then retrieve the results.
-
-   This artifact can be called from within another artifact (such as one looking for files) to enrich the data made available by that artifact.
-
-    Ex.
+  Ex.
 
     `SELECT * from Artifact.Server.Enrichment.CortexAnalyzer(Observable=$YOURHASH, ObservableType='hash')`
 
-    **Reference**: https://github.com/TheHive-Project/Cortex
+reference:
+  - https://github.com/TheHive-Project/Cortex
 
 author: Wes Lambert - @therealwlambert
 

artifacts/definitions/Server/Internal/ArtifactDescription.yaml

@@ -22,6 +22,15 @@ reports:
 
       {{ $artifact.Description }}
 
+      {{ if $artifact.Reference }}
+      References:
+      <ul>
+      {{- range $item := $artifact.Reference -}}
+      <li>{{ $item }}</li>
+      {{- end -}}
+      </ul>
+      {{ end }}
+
       {{ if $artifact.Tools }}
       ### Tools
 

artifacts/definitions/Windows/Attack/ParentProcess.yaml

@@ -7,9 +7,9 @@ description: |
   artifacts, this will be able to retrieve information about exited
   processes.
 
-  ### References:
-  * https://www.sans.org/security-resources/posters/hunt-evil/165/download
-  * https://github.com/teoseller/osquery-attck/blob/master/windows-incorrect_parent_process.conf
+reference:
+  - https://www.sans.org/security-resources/posters/hunt-evil/165/download
+  - https://github.com/teoseller/osquery-attck/blob/master/windows-incorrect_parent_process.conf
 
 precondition: SELECT OS From info() where OS = 'windows'
 

artifacts/definitions/Windows/Forensics/SAM.yaml

@@ -4,7 +4,8 @@ description: |
 
    Based on Omer Yampel's parser
 
-   reference: https://github.com/yampelo/samparser/blob/master/samparser.py
+reference:
+  - https://github.com/yampelo/samparser/blob/master/samparser.py
 
 parameters:
    - name: SAMPath

artifacts/definitions/Windows/Forensics/SolarwindsSunburst.yaml

@@ -3,10 +3,11 @@ name: Windows.Forensics.SolarwindsSunburst
 description: |
     "SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers."
 
-    Reference: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
-
     We can look for evidence of this dll by first performing a YARA search on the MFT across all drives, then applying an additional FireEye-supplied rule against the file found via MFT.
 
+reference:
+  - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
+
 author: Wes Lambert - @therealwlambert
 
 tools:

artifacts/definitions/Windows/Registry/PortProxy.yaml

@@ -1,15 +1,13 @@
 name: Windows.Registry.PortProxy
 description: |
-    **Description**:
     This artifact will return any items in the Windows PortProxy service
     registry path. The most common configuration of this service is via the
     lolbin netsh.exe; Metaspoit and other common attack tools also have
     configuration modules.
 
-    **Reference**: [Port Proxy detection]
-    (http://www.dfirnotes.net/portproxy_detection/)
-
-    **ATT&CK**: [T1090 - Connection Proxy](https://attack.mitre.org/techniques/T1090/)
+reference:
+  - Port Proxy detection(http://www.dfirnotes.net/portproxy_detection/)
+  - ATT&CK T1090 - Connection Proxy(https://attack.mitre.org/techniques/T1090/)
     Adversaries may use a connection proxy to direct network traffic between
     systems or act as an intermediary for network communications to a command
     and control server to avoid direct connections to their infrastructure.

artifacts/definitions/Windows/System/Amcache.yaml

@@ -9,9 +9,9 @@ description: |
 
   This artifact works on Windows 10 1607 version.
 
-  References:
-    https://www.andreafortuna.org/cybersecurity/amcache-and-shimcache-in-forensic-analysis/
-    https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf
+reference:
+  - https://www.andreafortuna.org/cybersecurity/amcache-and-shimcache-in-forensic-analysis/
+  - https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf
 
 parameters:
   - name: amCacheGlob

artifacts/definitions/Windows/System/CriticalServices.yaml

@@ -6,10 +6,9 @@ description: |
   The default list contains virus scanners. If the software is not
   installed at all, it will not be shown.
 
-  ATT&CK: T1089
-
-  ### References:
-  * https://github.com/teoseller/osquery-attck/blob/master/windows_critical_service_status.conf
+reference:
+  - "ATT&CK: T1089"
+  - https://github.com/teoseller/osquery-attck/blob/master/windows_critical_service_status.conf
 
 precondition: SELECT OS From info() where OS = 'windows'
 

artifacts/definitions/Windows/System/RootCAStore.yaml

@@ -2,9 +2,8 @@ name: Windows.System.RootCAStore
 description: |
    Enumerate the root certificates in the Windows Root store.
 
-   Att&ck: #T1553
-
 reference:
+   - "ATT&CK: T1553"
    - https://attack.mitre.org/techniques/T1553/004/
 
 parameters:

artifacts/definitions/Windows/System/WMIQuery.yaml

@@ -13,7 +13,6 @@ description: |
 
     Please see the second reference link for an example of built in system classes.
 
-
 reference:
     - https://docs.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page
     - https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/operating-system-classes