From 99253763afd10f69448d5b82b678117c80d831b7 Mon Sep 17 00:00:00 2001
From: Lurkkeli <sami.ruohonen16@gmail.com>
Date: Tue, 7 Aug 2018 08:45:58 +0200
Subject: [PATCH] added att&ck tag

---
 rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml
index d79982ad..ba715d30 100644
--- a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml
+++ b/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml
@@ -14,6 +14,10 @@ detection:
         SourceImage: '*\powershell.exe'
         TargetImage: '*\rundll32.exe'
     condition: selection
+tags:
+    - attack.defense_evasion
+    - attack.execution
+    - attack.t1085
 falsepositives:
     - Unkown
 level: high