From 1ba0a7c7a3557a43d87e14b3bd1d3917f24195c8 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Wed, 1 Sep 2021 19:38:35 +0200
Subject: [PATCH 1/3] add missing tags

---
 .../windows/file_event/sysmon_tsclient_filewrite_startup.yml | 3 +++
 rules/windows/other/win_defender_amsi_trigger.yml            | 5 ++++-
 rules/windows/other/win_defender_threat.yml                  | 3 +++
 .../windows/registry_event/sysmon_reg_vbs_payload_stored.yml | 3 +++
 .../registry_event/sysmon_sysinternals_eula_accepted.yml     | 3 +++
 5 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
index c171dcdf..d11fd2b3 100755
--- a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
+++ b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml
@@ -15,3 +15,6 @@ detection:
 falsepositives:
     - unknown
 level: high
+tags:
+    - attack.command_and_control
+    - attack.t1219
\ No newline at end of file
diff --git a/rules/windows/other/win_defender_amsi_trigger.yml b/rules/windows/other/win_defender_amsi_trigger.yml
index f872bf22..2478a55c 100644
--- a/rules/windows/other/win_defender_amsi_trigger.yml
+++ b/rules/windows/other/win_defender_amsi_trigger.yml
@@ -17,4 +17,7 @@ detection:
     condition: selection
 falsepositives:
     - unlikely
-level: high
\ No newline at end of file
+level: high
+tags:
+    - attack.execution
+    - attack.t1059 
\ No newline at end of file
diff --git a/rules/windows/other/win_defender_threat.yml b/rules/windows/other/win_defender_threat.yml
index 9721af7b..76413e11 100644
--- a/rules/windows/other/win_defender_threat.yml
+++ b/rules/windows/other/win_defender_threat.yml
@@ -20,3 +20,6 @@ detection:
 falsepositives:
     - unlikely
 level: high
+tags:
+    - attack.execution
+    - attack.t1059 
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml
index 0104e1bf..058178fc 100644
--- a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml
+++ b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml
@@ -29,3 +29,6 @@ detection:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.persistence
+    - attack.t1547.001
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
index 717e6b93..e526a09c 100755
--- a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
+++ b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml
@@ -11,6 +11,9 @@ falsepositives:
     - Legitimate use of SysInternals tools
     - Programs that use the same Registry Key
 level: low
+tags:
+    - attack.resource_development 
+    - attack.t1588.002 
 ---
 logsource:
     product: windows

From e0cd35261cd47bc50ae84394ddef8f04a606c21e Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Wed, 1 Sep 2021 20:01:03 +0200
Subject: [PATCH 2/3] add missing tags

---
 .../process_creation/win_susp_cmd_shadowcopy_access.yml       | 3 +++
 .../windows/process_creation/win_susp_rundll32_inline_vbs.yml | 3 +++
 .../process_creation/win_susp_screenconnect_access.yml        | 3 +++
 rules/windows/process_creation/win_susp_userinit_child.yml    | 3 +++
 .../registry_event/sysmon_suspicious_keyboard_layout_load.yml | 4 +++-
 5 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml b/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml
index 319eef8e..9b475340 100644
--- a/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml
+++ b/rules/windows/process_creation/win_susp_cmd_shadowcopy_access.yml
@@ -17,3 +17,6 @@ detection:
 falsepositives:
     - Some rare backup scenarios
 level: medium
+tags:
+    - attack.impact
+    - attack.t1490 
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml b/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml
index e85f144e..7018898a 100644
--- a/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml
+++ b/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml
@@ -20,3 +20,6 @@ detection:
 falsepositives:
     - Unknown
 level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1055
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_susp_screenconnect_access.yml b/rules/windows/process_creation/win_susp_screenconnect_access.yml
index 0f6f6259..d146d9dc 100644
--- a/rules/windows/process_creation/win_susp_screenconnect_access.yml
+++ b/rules/windows/process_creation/win_susp_screenconnect_access.yml
@@ -21,3 +21,6 @@ detection:
 falsepositives:
     - Legitimate use by administrative staff
 level: high
+tags:
+    - attack.initial_access 
+    - attack.t1133 
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_susp_userinit_child.yml b/rules/windows/process_creation/win_susp_userinit_child.yml
index 1b22804e..0c6693f1 100644
--- a/rules/windows/process_creation/win_susp_userinit_child.yml
+++ b/rules/windows/process_creation/win_susp_userinit_child.yml
@@ -24,3 +24,6 @@ fields:
 falsepositives:
     - Administrative scripts
 level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1055
\ No newline at end of file
diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
index 0cd426a5..a7842bbe 100755
--- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
+++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml
@@ -25,4 +25,6 @@ detection:
 falsepositives:
     - "Administrators or users that actually use the selected keyboard layouts (heavily depends on the organisation's user base)"
 level: medium
-
+tags:
+    - attack.resource_development
+    - attack.t1588.002

From 6f1f70ca5e340b8884b0a020978a1bc79639acc1 Mon Sep 17 00:00:00 2001
From: frack113 <magicfrancois@gmail.com>
Date: Thu, 2 Sep 2021 09:59:19 +0200
Subject: [PATCH 3/3] Add missing tags

---
 .../windows/process_creation/win_malware_conti_shadowcopy.yml  | 3 +++
 rules/windows/process_creation/win_malware_dtrack.yml          | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml
index 3292bcba..9c07e2c0 100644
--- a/rules/windows/process_creation/win_malware_conti_shadowcopy.yml
+++ b/rules/windows/process_creation/win_malware_conti_shadowcopy.yml
@@ -23,3 +23,6 @@ detection:
 falsepositives:
     - Some rare backup scenarios
 level: medium
+tags:
+    - attack.impact
+    - attack.t1490 
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_malware_dtrack.yml b/rules/windows/process_creation/win_malware_dtrack.yml
index e5e429be..3d44a016 100644
--- a/rules/windows/process_creation/win_malware_dtrack.yml
+++ b/rules/windows/process_creation/win_malware_dtrack.yml
@@ -21,3 +21,6 @@ fields:
 falsepositives:
     - Unlikely
 level: critical
+tags:
+    - attack.impact
+    - attack.t1490 
\ No newline at end of file