diff --git a/detections/endpoint/ssa___windows_powershell_delete_shadowcopy.yml b/detections/endpoint/ssa___windows_powershell_delete_shadowcopy.yml
deleted file mode 100644
index 59a25edc0f..0000000000
--- a/detections/endpoint/ssa___windows_powershell_delete_shadowcopy.yml
+++ /dev/null
@@ -1,81 +0,0 @@
-name: Windows PowerShell Delete ShadowCopy
-id: 2e66123e-f90a-448c-b11d-9d063cfe89b0
-version: 1
-date: '2022-11-14'
-author: Michael Haag, Splunk
-type: TTP
-datamodel:
-- Endpoint_Processes
-description: This following analytic detects PowerShell command to delete shadow copy
-  using the WMIC PowerShell module. This technique was seen used by a recent adversary
-  to deploy DarkSide Ransomware where it executed a child process of PowerShell to
-  execute a hex encoded command to delete shadow copy. This hex encoded command was
-  able to be decrypted by PowerShell log.
-search: '| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event,
-  "_time"), "string", null)), cmd_line=lower(ucast(map_get(input_event, "process"),
-  "string", null)), process_name=lower(ucast(map_get(input_event, "process_name"),
-  "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string",
-  null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string",
-  null), event_id=ucast(map_get(input_event, "event_id"), "string", null) | where
-  cmd_line IS NOT NULL AND process_name IS NOT NULL | where
-  like (cmd_line, "%shadowcopy%") | where like (cmd_line, "%delete%") OR like (cmd_line,
-  "%remove%")) | eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event,
-  "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"),
-  "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name",
-  process_name, "parent_process_name", parent_process_name, "process_path", process_path])
-  | into write_ssa_detected_events();'
-how_to_implement: To successfully implement this analytic, you will need to enable
-  PowerShell Script Block Logging (4104) on some or all endpoints. Additional setup here
-  https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
-known_false_positives: It is possible administrators may delete shadow copies. Filter as needed or monitor.
-references:
-  - https://www.mandiant.com/resources/shining-a-light-on-darkside-ransomware-operations
-  - https://www.techtarget.com/searchwindowsserver/tutorial/Set-up-PowerShell-script-block-logging-for-added-security
-tags:
-  analytic_story:
-  - DarkSide Ransomware
-  - Ransomware
-  - Revil Ransomware
-  asset_type: Endpoint
-  cis20:
-  - CIS 3
-  - CIS 5
-  - CIS 16
-  confidence: 90
-  context:
-  - Source:Endpoint
-  - Stage:Execution
-  dataset:
-  - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log
-  impact: 90
-  kill_chain_phases:
-  - Exploitation
-  message: An attempt to delete ShadowCopy was performed using PowerShell on $dest_device_id$
-    by $dest_user_id$.
-  mitre_attack_id:
-  - T1490
-  nist:
-  - DE.CM
-  observable:
-  - name: dest_user_id
-    type: User
-    role:
-    - Victim
-  - name: dest_device_id
-    type: Hostname
-    role:
-    - Victim
-  risk_severity: 'medium'
-  product:
-  - Splunk Behavioral Analytics
-  required_fields:
-  - _time
-  - dest_device_id
-  - process_name
-  - parent_process_name
-  - process_path
-  - dest_user_id
-  - process
-  - cmd_line
-  risk_score: 81
-  security_domain: endpoint
diff --git a/detections/endpoint/ssa___windows_powershell_empire_behavior.yml b/detections/endpoint/ssa___windows_powershell_empire_behavior.yml
deleted file mode 100644
index e1ba7c5ba3..0000000000
--- a/detections/endpoint/ssa___windows_powershell_empire_behavior.yml
+++ /dev/null
@@ -1,82 +0,0 @@
-name: Windows PowerShell Empire Behavior
-id: 5ea7bca8-2d8b-42f3-858d-44e5e6da3af9
-version: 1
-date: '2022-11-14'
-author: Michael Haag, Splunk
-type: TTP
-datamodel:
-- Endpoint_Processes
-description: 'The following'
-search: '| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event,
-  "_time"), "string", null)), cmd_line=lower(ucast(map_get(input_event, "process"),
-  "string", null)), process_name=lower(ucast(map_get(input_event, "process_name"),
-  "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string",
-  null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string",
-  null), event_id=ucast(map_get(input_event, "event_id"), "string", null) | where
-  cmd_line IS NOT NULL AND process_name IS NOT NULL | where
-  (like (cmd_line, "%system.net.webclient%") AND like (cmd_line, "%frombase64string%")) | eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event,
-  "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"),
-  "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name",
-  process_name, "parent_process_name", parent_process_name, "process_path", process_path])
-  | into write_ssa_detected_events();'
-how_to_implement: To successfully implement this analytic, you will need to enable
-  PowerShell Script Block Logging on some or all endpoints. Additional setup here
-  https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
-known_false_positives: False positives may only pertain to it not being related to
-  Empire, but another framework. Filter as needed if any applications use the same
-  pattern.
-references:
-- https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
-- https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
-- https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
-- https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
-- https://github.com/BC-SECURITY/Empire
-- https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html
-tags:
-  analytic_story:
-  - Hermetic Wiper 
-  - Malicious PowerShell
-  asset_type: Endpoint
-  cis20:
-  - CIS 3
-  - CIS 5
-  - CIS 16
-  confidence: 90
-  context:
-  - Source:Endpoint
-  - Stage:Execution
-  dataset:
-  - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/empire.log
-  impact: 90
-  kill_chain_phases:
-  - Exploitation
-  message: The following behavior was identified and typically related to PowerShell-Empire
-    on $dest_device_id$ by $dest_user_id$.
-  mitre_attack_id:
-  - T1059
-  - T1059.001
-  nist:
-  - DE.CM
-  observable:
-  - name: dest_user_id
-    type: User
-    role:
-    - Victim
-  - name: dest_device_id
-    type: Hostname
-    role:
-    - Victim
-  risk_severity: medium
-  product:
-  - Splunk Behavioral Analytics
-  required_fields:
-  - _time
-  - dest_device_id
-  - process_name
-  - parent_process_name
-  - process_path
-  - dest_user_id
-  - process
-  - cmd_line
-  risk_score: 81
-  security_domain: endpoint
diff --git a/tests/endpoint/ssa___windows_powershell_delete_shadowcopy.test.yml b/tests/endpoint/ssa___windows_powershell_delete_shadowcopy.test.yml
deleted file mode 100644
index 26c105c16f..0000000000
--- a/tests/endpoint/ssa___windows_powershell_delete_shadowcopy.test.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-name: Windows PowerShell Delete ShadowCopy Unit Test
-tests:
-- name: Windows PowerShell Delete ShadowCopy
-  file: endpoint/ssa___windows_powershell_delete_shadowcopy.yml
-  pass_condition: '| stats count | where count > 0'
-  earliest_time: -24h
-  latest_time: now
-  attack_data:
-  - file_name: sbl_xml.log
-    data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log
-    source: XmlWinEventLog
-    sourcetype: XmlWinEventLog
-    update_timestamp: true
diff --git a/tests/endpoint/ssa___windows_powershell_empire_behavior.test.yml b/tests/endpoint/ssa___windows_powershell_empire_behavior.test.yml
deleted file mode 100644
index fedc2ed083..0000000000
--- a/tests/endpoint/ssa___windows_powershell_empire_behavior.test.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-name: Windows PowerShell Empire Behavior Unit Test
-tests:
-- name: Windows PowerShell Empire Behavior
-  file: endpoint/ssa___windows_powershell_empire_behavior.yml
-  pass_condition: '| stats count | where count > 0'
-  earliest_time: -24h
-  latest_time: now
-  attack_data:
-  - file_name: empire.log
-    data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/empire.log
-    source: XmlWinEventLog
-    sourcetype: XmlWinEventLog
-    update_timestamp: true