diff --git a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml
index f6aa932a4..6c6c893d9 100644
--- a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml
+++ b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml
@@ -4,6 +4,9 @@ description: Detects suspicious powershell invocations from interpreters or unus
 author: Florian Roth
 references:
     - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
+tags:
+    - attack.execution
+    - attack.t1086
 logsource:
     product: windows
     service: sysmon