fix typos, update tags

rules/windows/builtin/win_disable_event_logging.yml

@@ -6,7 +6,7 @@ references:
 tags:
     - attack.defense_evasion
     - attack.t1054          # an old one
-    - attack.t1562.006
+    - attack.t1562.002
 author: '@neu5ron'
 date: 2017/11/19
 logsource:

rules/windows/other/win_defender_psexec_wmi_asr.yml

@@ -10,9 +10,8 @@ date: 2020/07/14
 tags:
     - attack.execution
     - attack.lateral_movement
-    - attack.t1570
     - attack.t1047
-    - attack.t1569
+    - attack.t1035 # an old one
     - attack.t1569.002
 logsource:
     product: windows_defender

rules/windows/process_access/sysmon_invoke_phantom.yml

@@ -10,7 +10,7 @@ references:
     - https://twitter.com/timbmsft/status/900724491076214784
 tags:
     - attack.defense_evasion
-    - attck.t1562.002
+    - attack.t1562.002
     - attack.t1089  # an old one
 logsource:
     category: process_access

rules/windows/process_creation/win_etw_trace_evasion.yml

@@ -11,7 +11,7 @@ date: 2019/03/22
 tags:
     - attack.defense_evasion
     - attack.t1070
-    - attack.t1562
+    - attack.t1562.006
     - car.2016-04-002
 level: high
 logsource:

rules/windows/process_creation/win_susp_covenant.yml

@@ -8,7 +8,9 @@ author: Florian Roth
 date: 2020/06/04
 tags:
     - attack.execution
+    - attack.defense_evasion
     - attack.t1059.001
+    - attack.t1564.003
     - attack.t1086        # an old one
 logsource:
     category: process_creation

rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml

@@ -19,9 +19,9 @@ detection:
     condition: selection
 tags:
     - attack.execution
+    - attack.persistence
     - attack.t1177 # an old one
     - attack.t1547.008
 falsepositives:
     - Unknown
 level: high
-