diff --git a/deprecated/windows/proc_creation_win_wuauclt_execution.yml b/deprecated/windows/proc_creation_win_wuauclt_execution.yml
index 2b053596d..d2bcdb016 100644
--- a/deprecated/windows/proc_creation_win_wuauclt_execution.yml
+++ b/deprecated/windows/proc_creation_win_wuauclt_execution.yml
@@ -9,7 +9,7 @@ date: 2020/10/17
 modified: 2023/11/11
 tags:
     - attack.command_and_control
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1105
     - attack.t1218
 logsource:
diff --git a/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml b/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml
index cdf72b9c5..bbf33f2e4 100644
--- a/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml
+++ b/rules-emerging-threats/2018/TA/APT29-CozyBear/file_event_win_apt_cozy_bear_phishing_campaign_indicators.yml
@@ -12,7 +12,7 @@ author: '@41thexplorer'
 date: 2018/11/20
 modified: 2023/02/20
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218.011
     - detection.emerging_threats
 logsource:
diff --git a/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml b/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml
index 9ab88ea7f..d18f6cb70 100644
--- a/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml
+++ b/rules-emerging-threats/2018/TA/APT29-CozyBear/proc_creation_win_apt_apt29_phishing_campaign_indicators.yml
@@ -13,6 +13,7 @@ author: Florian Roth (Nextron Systems), @41thexplorer
 date: 2018/11/20
 modified: 2023/03/08
 tags:
+    - attack.defense_evasion
     - attack.execution
     - attack.t1218.011
     - detection.emerging_threats
diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml
index bbfa00cca..fd7bf4162 100644
--- a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml
+++ b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml
@@ -11,7 +11,7 @@ references:
 author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea)
 date: 2023/05/15
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
     - detection.emerging_threats
 logsource:
diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml
index 9a57c9125..d32cee14a 100644
--- a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml
+++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_child_process.yml
@@ -19,8 +19,9 @@ references:
 author: Harjot Singh @cyb3rjy0t
 date: 2023/09/15
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
+    - attack.execution
     - detection.threat_hunting
 logsource:
     category: process_creation
diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml
index 27f8c2dfe..20c9bd879 100644
--- a/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml
+++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_diskshadow_script_mode.yml
@@ -21,8 +21,9 @@ author: Ivan Dyachkov, oscd.community
 date: 2020/10/07
 modified: 2023/09/14
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
+    - attack.execution
     - detection.threat_hunting
 logsource:
     category: process_creation
diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml
index aa976ace8..2587e50c1 100644
--- a/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml
+++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml
@@ -13,7 +13,7 @@ references:
 author: Joseliyo Sanchez, @Joseliyo_Jstnk
 date: 2024/02/05
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
     - detection.threat_hunting
 logsource:
diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml
index 12abe2b93..3acfdf498 100644
--- a/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml
+++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_regsvr32_dllregisterserver_exec.yml
@@ -15,7 +15,7 @@ references:
 author: Andreas Braathen (mnemonic.io), Nasreddine Bencherchali (Nextron Systems)
 date: 2023/10/17
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
     - detection.threat_hunting
 logsource:
diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml
index 556d1bf32..f38872e07 100644
--- a/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml
+++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_rundll32_dllregisterserver.yml
@@ -13,7 +13,7 @@ references:
 author: Andreas Braathen (mnemonic.io)
 date: 2023/10/17
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
     - detection.threat_hunting
 logsource:
diff --git a/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml b/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml
index e587aff44..c6bd3ad8e 100644
--- a/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml
+++ b/rules/windows/builtin/application/msiinstaller/win_msi_install_from_web.yml
@@ -8,7 +8,7 @@ author: Stamatis Chatzimangou
 date: 2022/10/23
 modified: 2022/10/23
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
     - attack.t1218.007
 logsource:
diff --git a/rules/windows/file/file_event/file_event_win_sed_file_creation.yml b/rules/windows/file/file_event/file_event_win_sed_file_creation.yml
index b6147a2bb..b84bc8b2b 100644
--- a/rules/windows/file/file_event/file_event_win_sed_file_creation.yml
+++ b/rules/windows/file/file_event/file_event_win_sed_file_creation.yml
@@ -15,7 +15,7 @@ references:
 author: Joseliyo Sanchez, @Joseliyo_Jstnk
 date: 2024/02/05
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: file_event
diff --git a/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml b/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml
index 88cc73726..121cf8c6f 100644
--- a/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml
+++ b/rules/windows/file/file_executable_detected/file_executable_detected_win_susp_embeded_sed_file.yml
@@ -16,7 +16,7 @@ references:
 author: Joseliyo Sanchez, @Joseliyo_Jstnk
 date: 2024/02/05
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     product: windows
diff --git a/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml
index 5658158fb..316c92640 100644
--- a/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml
+++ b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml
@@ -8,7 +8,7 @@ author: Sreeman, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/01/13
 modified: 2024/02/17
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
     - attack.command_and_control
     - attack.t1105
diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml
index bf889c045..6a92f17b4 100644
--- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml
+++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml
@@ -13,7 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/12
 modified: 2023/05/15
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation
diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml
index c95f7c0df..bdc0bb328 100644
--- a/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml
+++ b/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml
@@ -22,7 +22,7 @@ references:
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/09/15
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation
diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml
index 34c9f9dba..d62d04cf3 100644
--- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml
+++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml
@@ -24,7 +24,7 @@ references:
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/09/15
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation
diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml
index b78bfab51..d6ce8ca0c 100644
--- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml
+++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml
@@ -22,7 +22,7 @@ references:
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/09/15
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation
diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml
index 04ebdede8..ef6c783f5 100644
--- a/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml
+++ b/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml
@@ -9,7 +9,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/06/20
 modified: 2023/02/04
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation
diff --git a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml
index 216376d20..48323ecba 100644
--- a/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml
+++ b/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml
@@ -10,7 +10,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/06/20
 modified: 2023/02/04
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation
diff --git a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml
index 4815b1595..ae4f08690 100644
--- a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml
+++ b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml
@@ -9,7 +9,7 @@ author: Bhabesh Raj, X__Junior (Nextron Systems)
 date: 2021/07/30
 modified: 2023/11/02
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation
diff --git a/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml
index 52264203a..b90112308 100644
--- a/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml
+++ b/rules/windows/process_creation/proc_creation_win_iexpress_susp_execution.yml
@@ -12,7 +12,7 @@ references:
 author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
 date: 2024/02/05
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml b/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml
index 002cacc64..af2891218 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml
@@ -10,7 +10,7 @@ author: Beyu Denis, oscd.community
 date: 2020/10/18
 modified: 2023/02/04
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation
diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml b/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml
index 14d8ca104..8ffd86314 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml
@@ -10,7 +10,7 @@ author: Beyu Denis, oscd.community
 date: 2020/10/18
 modified: 2021/11/27
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation
diff --git a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml
index d1c6e2f00..afa96001a 100644
--- a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml
+++ b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml
@@ -13,7 +13,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/12
 modified: 2023/04/11
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation
diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml
index 2bafda846..406f171fa 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml
@@ -12,6 +12,7 @@ author: 'Agro (@agro_sev) oscd.community'
 date: 2020/10/13
 modified: 2021/11/27
 tags:
+    - attack.defense_evasion
     - attack.t1218
 logsource:
     category: process_creation