diff --git a/rules/windows/process_creation/win_renamed_meg.yml b/rules/windows/process_creation/win_renamed_meg.yml
index ff93ab47f..a39dc6874 100644
--- a/rules/windows/process_creation/win_renamed_meg.yml
+++ b/rules/windows/process_creation/win_renamed_meg.yml
@@ -8,7 +8,7 @@ author: Sittikorn S
 date: 2021/06/22
 tags:
     - attack.Defense_Evasion
-    - attack.T1218.001
+    - attack.T1218
 logsource:
     product: windows
     service: sysmon # require sysmon version >= 10.0