fix: more duplicate 'tag' keys in rules

rules/windows/builtin/win_susp_msmpeng_crash.yml

@@ -3,15 +3,13 @@ description: This rule detects a suspicious crash of the Microsoft Malware Prote
 tags:
     - attack.defense_evasion
     - attack.t1089
+    - attack.t1211
 status: experimental
 date: 2017/05/09
 references:
     - https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5
     - https://technet.microsoft.com/en-us/library/security/4022344
 author: Florian Roth
-tags:
-    - attack.defense_evasion
-    - attack.t1211
 logsource:
     product: windows
     service: application

rules/windows/builtin/win_susp_rc4_kerberos.yml

@@ -5,11 +5,9 @@ references:
     - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
 tags:
     - attack.credential_dumping
-    - attack.T1208
-description: Detects service ticket requests using RC4 encryption type
-tags:
     - attack.credential_access
     - attack.t1208
+description: Detects service ticket requests using RC4 encryption type
 logsource:
     product: windows
     service: security

rules/windows/builtin/win_susp_rundll32_activity.yml

@@ -11,10 +11,6 @@ tags:
     - attack.execution
     - attack.t1085
 author: juju4
-tags:
-    - attack.execution
-    - attack.defense_evasion
-    - attack.t1085
 detection:
     selection:
         CommandLine:

rules/windows/builtin/win_susp_security_eventlog_cleared.yml

@@ -4,9 +4,6 @@ tags:
     - attack.defense_evasion
     - attack.t1070
 author: Florian Roth
-tags:
-    - attack.defense_evasion
-    - attack.t1070
 logsource:
     product: windows
     service: security