diff --git a/rules/windows/malware/win_mal_ryuk.yml b/rules/windows/malware/win_mal_ryuk.yml
index 02603871b..156ee19ab 100644
--- a/rules/windows/malware/win_mal_ryuk.yml
+++ b/rules/windows/malware/win_mal_ryuk.yml
@@ -24,3 +24,6 @@ detection:
 falsepositives:
     - Unlikely
 level: critical
+tags:
+    - attack.execution
+    - attack.t1204