From 440b0ddffe4140bf9409efe2dd0415e732dcfc09 Mon Sep 17 00:00:00 2001
From: megan201296 <megansroddie@gmail.com>
Date: Tue, 9 Oct 2018 19:11:17 -0500
Subject: [PATCH] Update sysmon_susp_powershell_parent_combo.yml

---
 rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml
index f6aa932a4..6c6c893d9 100644
--- a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml
+++ b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml
@@ -4,6 +4,9 @@ description: Detects suspicious powershell invocations from interpreters or unus
 author: Florian Roth
 references:
     - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
+tags:
+    - attack.execution
+    - attack.t1086
 logsource:
     product: windows
     service: sysmon