From 3c240be8a89627d84a43dd94e439c427893ca478 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Tue, 4 Sep 2018 16:15:02 +0200
Subject: [PATCH] fix: more duplicate 'tag' keys in rules

---
 rules/windows/builtin/win_susp_msmpeng_crash.yml             | 4 +---
 rules/windows/builtin/win_susp_rc4_kerberos.yml              | 4 +---
 rules/windows/builtin/win_susp_rundll32_activity.yml         | 4 ----
 rules/windows/builtin/win_susp_security_eventlog_cleared.yml | 3 ---
 4 files changed, 2 insertions(+), 13 deletions(-)

diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml
index d1994c38..c935ffac 100644
--- a/rules/windows/builtin/win_susp_msmpeng_crash.yml
+++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml
@@ -3,15 +3,13 @@ description: This rule detects a suspicious crash of the Microsoft Malware Prote
 tags:
     - attack.defense_evasion
     - attack.t1089
+    - attack.t1211
 status: experimental
 date: 2017/05/09
 references:
     - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
     - https://technet.microsoft.com/en-us/library/security/4022344
 author: Florian Roth
-tags:
-    - attack.defense_evasion
-    - attack.t1211
 logsource:
     product: windows
     service: application
diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml
index 218e80fc..f49b151d 100644
--- a/rules/windows/builtin/win_susp_rc4_kerberos.yml
+++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml
@@ -5,11 +5,9 @@ references:
     - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
 tags:
     - attack.credential_dumping
-    - attack.T1208
-description: Detects service ticket requests using RC4 encryption type
-tags:
     - attack.credential_access
     - attack.t1208
+description: Detects service ticket requests using RC4 encryption type
 logsource:
     product: windows
     service: security
diff --git a/rules/windows/builtin/win_susp_rundll32_activity.yml b/rules/windows/builtin/win_susp_rundll32_activity.yml
index 3ce858c6..485c7210 100644
--- a/rules/windows/builtin/win_susp_rundll32_activity.yml
+++ b/rules/windows/builtin/win_susp_rundll32_activity.yml
@@ -11,10 +11,6 @@ tags:
     - attack.execution
     - attack.t1085
 author: juju4
-tags:
-    - attack.execution
-    - attack.defense_evasion
-    - attack.t1085
 detection:
     selection:
         CommandLine:
diff --git a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
index af299feb..cc61bdf1 100644
--- a/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
+++ b/rules/windows/builtin/win_susp_security_eventlog_cleared.yml
@@ -4,9 +4,6 @@ tags:
     - attack.defense_evasion
     - attack.t1070
 author: Florian Roth
-tags:
-    - attack.defense_evasion
-    - attack.t1070
 logsource:
     product: windows
     service: security