From b50c13dd1f5ac56758b9df93d63a0953adac088e Mon Sep 17 00:00:00 2001
From: Lurkkeli <sami.ruohonen16@gmail.com>
Date: Tue, 7 Aug 2018 08:27:24 +0200
Subject: [PATCH] Update att&ck tag

---
 rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml
index 5657c885..ad4a0db3 100644
--- a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml
+++ b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml
@@ -26,6 +26,9 @@ detection:
 fields:
     - CommandLine
     - ParentCommandLine
+tags:
+    - attack.credential_access
+    - attack.t1003
 falsepositives:
     - Administrative activity
 level: high