From 21bee17ffdfd29ef4d1b5923df275ee7f0683dd8 Mon Sep 17 00:00:00 2001
From: Lurkkeli <sami.ruohonen16@gmail.com>
Date: Tue, 7 Aug 2018 08:07:49 +0200
Subject: [PATCH 1/2] Update sysmon_uac_bypass_eventvwr.yml

---
 rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml
index f3a28a27c..3a3763cc4 100644
--- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml
+++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml
@@ -21,6 +21,10 @@ detection:
 fields:
     - CommandLine
     - ParentCommandLine
+tags:
+    - attack.defense_Evasion
+    - attack.privelege_Escalation
+    - attack.t1088
 falsepositives:
     - unknown
 level: critical

From b049210641abc3e28021de579d7e8c7b2830db95 Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Tue, 7 Aug 2018 08:20:09 +0200
Subject: [PATCH 2/2] Fixed tags

---
 rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml
index 3a3763cc4..5d861b40a 100644
--- a/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml
+++ b/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml
@@ -22,8 +22,8 @@ fields:
     - CommandLine
     - ParentCommandLine
 tags:
-    - attack.defense_Evasion
-    - attack.privelege_Escalation
+    - attack.defense_evasion
+    - attack.privilege_escalation
     - attack.t1088
 falsepositives:
     - unknown