diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml
index da1f92fe0..52ef34e3f 100644
--- a/rules/windows/builtin/win_disable_event_logging.yml
+++ b/rules/windows/builtin/win_disable_event_logging.yml
@@ -6,7 +6,7 @@ references:
 tags:
     - attack.defense_evasion
     - attack.t1054          # an old one
-    - attack.t1562.006
+    - attack.t1562.002
 author: '@neu5ron'
 date: 2017/11/19
 logsource:
diff --git a/rules/windows/other/win_defender_psexec_wmi_asr.yml b/rules/windows/other/win_defender_psexec_wmi_asr.yml
index 850023895..6761ba143 100644
--- a/rules/windows/other/win_defender_psexec_wmi_asr.yml
+++ b/rules/windows/other/win_defender_psexec_wmi_asr.yml
@@ -10,9 +10,8 @@ date: 2020/07/14
 tags:
     - attack.execution
     - attack.lateral_movement
-    - attack.t1570
     - attack.t1047
-    - attack.t1569
+    - attack.t1035 # an old one
     - attack.t1569.002
 logsource:
     product: windows_defender
diff --git a/rules/windows/process_access/sysmon_invoke_phantom.yml b/rules/windows/process_access/sysmon_invoke_phantom.yml
index a389a9a56..bbcf116ae 100755
--- a/rules/windows/process_access/sysmon_invoke_phantom.yml
+++ b/rules/windows/process_access/sysmon_invoke_phantom.yml
@@ -10,7 +10,7 @@ references:
     - https://twitter.com/timbmsft/status/900724491076214784
 tags:
     - attack.defense_evasion
-    - attck.t1562.002
+    - attack.t1562.002
     - attack.t1089  # an old one
 logsource:
     category: process_access
diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml
index 84c4fa7b8..71bb05e64 100644
--- a/rules/windows/process_creation/win_etw_trace_evasion.yml
+++ b/rules/windows/process_creation/win_etw_trace_evasion.yml
@@ -11,7 +11,7 @@ date: 2019/03/22
 tags:
     - attack.defense_evasion
     - attack.t1070
-    - attack.t1562
+    - attack.t1562.006
     - car.2016-04-002
 level: high
 logsource:
diff --git a/rules/windows/process_creation/win_susp_covenant.yml b/rules/windows/process_creation/win_susp_covenant.yml
index 40fa8950f..d2440ff5c 100644
--- a/rules/windows/process_creation/win_susp_covenant.yml
+++ b/rules/windows/process_creation/win_susp_covenant.yml
@@ -8,7 +8,9 @@ author: Florian Roth
 date: 2020/06/04
 tags:
     - attack.execution
+    - attack.defense_evasion
     - attack.t1059.001
+    - attack.t1564.003
     - attack.t1086        # an old one
 logsource:
     category: process_creation
diff --git a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml
index bf440234b..e7ff37013 100644
--- a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml
+++ b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml
@@ -19,9 +19,9 @@ detection:
     condition: selection
 tags:
     - attack.execution
+    - attack.persistence
     - attack.t1177 # an old one
     - attack.t1547.008
 falsepositives:
     - Unknown
 level: high
-