diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml
index fec7e1b9..ac3c34f3 100644
--- a/rules/windows/builtin/win_susp_net_recon_activity.yml
+++ b/rules/windows/builtin/win_susp_net_recon_activity.yml
@@ -1,9 +1,6 @@
 title: Reconnaissance Activity
 status: experimental
 description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"'
-tags:
-    - attack.discovery
-    - attack.t1087
 references:
     - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
 author: Florian Roth (rule), Jack Croock (method)