diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
index 128bb3640..46396f753 100644
--- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
+++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml
@@ -7,13 +7,12 @@ references:
     - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
 tags:
     - attack.lateral_movement
-    - attack.privilege_escalation
-    - attack.t1076
+    - attack.t1563.002
+    - attack.t1076      # an old one
     - car.2013-07-002
-    - attack.t1021.001
 author: Florian Roth
 date: 2018/03/17
-modified: 2018/12/11
+modified: 2020/08/29
 logsource:
     category: process_creation
     product: windows
diff --git a/rules/windows/process_creation/win_sysmon_driver_unload.yml b/rules/windows/process_creation/win_sysmon_driver_unload.yml
index c2c429b7d..a0b9258b4 100644
--- a/rules/windows/process_creation/win_sysmon_driver_unload.yml
+++ b/rules/windows/process_creation/win_sysmon_driver_unload.yml
@@ -4,12 +4,15 @@ status: experimental
 author: Kirill Kiryanov, oscd.community
 description: Detect possible Sysmon driver unload
 date: 2019/10/23
-modified: 2019/11/07
+modified: 2020/08/29
 references:
     - https://www.darkoperator.com/blog/2018/10/5/operating-offensively-against-sysmon
 logsource:
     product: windows
     category: process_creation
+tags:
+    - attack.defense_evasion
+    - attack.t1070
 detection:
     selection:
         Image|endswith: '\fltmc.exe'
diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml
index e7844c4fe..a10446c67 100644
--- a/rules/windows/process_creation/win_task_folder_evasion.yml
+++ b/rules/windows/process_creation/win_task_folder_evasion.yml
@@ -6,14 +6,16 @@ references:
     - https://twitter.com/subTee/status/1216465628946563073
     - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26
 date: 2020/01/13
+modified: 2020/08/29
 author: Sreeman
 tags:
-    - attack.t1064
-    - attack.t1211
-    - attack.t1059
     - attack.defense_evasion
     - attack.persistence
-    - attack.t1059.005
+    - attack.execution
+    - attack.t1574.002
+    - attack.t1059  # an old one
+    - attack.t1064  # an old one
+
 logsource:
     product: Windows
 detection:
diff --git a/rules/windows/process_creation/win_termserv_proc_spawn.yml b/rules/windows/process_creation/win_termserv_proc_spawn.yml
index 01e05f7f4..0e4767335 100644
--- a/rules/windows/process_creation/win_termserv_proc_spawn.yml
+++ b/rules/windows/process_creation/win_termserv_proc_spawn.yml
@@ -6,7 +6,12 @@ references:
     - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/
 author: Florian Roth
 date: 2019/05/22
+modified: 2020/08/29
 tags:
+    - attack.initial_access 
+    - attack.t1190
+    - attack.lateral_movement
+    - attack.t1210
     - car.2013-07-002
 logsource:
     product: windows
@@ -19,5 +24,4 @@ detection:
     condition: selection and not filter
 falsepositives:
     - Unknown
-level: high
-
+level: high
\ No newline at end of file
diff --git a/rules/windows/process_creation/win_uac_cmstp.yml b/rules/windows/process_creation/win_uac_cmstp.yml
index 1c234bfeb..8f31e7c4a 100644
--- a/rules/windows/process_creation/win_uac_cmstp.yml
+++ b/rules/windows/process_creation/win_uac_cmstp.yml
@@ -3,18 +3,18 @@ id: e66779cc-383e-4224-a3a4-267eeb585c40
 description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe).
 status: experimental
 author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community
-modified: 2019/11/11
 date: 2019/10/24
+modified: 2020/08/29
 references:
     - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md
 tags:
+    - attack.privilege_escalation
     - attack.defense_evasion
-    - attack.execution
-    - attack.t1191
-    - attack.t1088
     - attack.t1548.002
-    - attack.t1218
+    - attack.t1218.003
+    - attack.t1191      # an old one
+    - attack.t1088      # an old one
 logsource:
     category: process_creation
     product: windows
diff --git a/rules/windows/process_creation/win_uac_fodhelper.yml b/rules/windows/process_creation/win_uac_fodhelper.yml
index 31f1181da..e17d29db4 100644
--- a/rules/windows/process_creation/win_uac_fodhelper.yml
+++ b/rules/windows/process_creation/win_uac_fodhelper.yml
@@ -10,8 +10,8 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md
 tags:
     - attack.privilege_escalation
-    - attack.t1088
     - attack.t1548.002
+    - attack.t1088      # an old one
 logsource:
     category: process_creation
     product: windows
diff --git a/rules/windows/process_creation/win_uac_wsreset.yml b/rules/windows/process_creation/win_uac_wsreset.yml
index ff41e342f..4734aebac 100644
--- a/rules/windows/process_creation/win_uac_wsreset.yml
+++ b/rules/windows/process_creation/win_uac_wsreset.yml
@@ -9,8 +9,8 @@ references:
     - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html
 tags:
     - attack.privilege_escalation
-    - attack.t1088
     - attack.t1548.002
+    - attack.t1088      # an old one
 logsource:
     category: process_creation
     product: windows
diff --git a/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml b/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml
index bdbd6f21f..645b0034a 100644
--- a/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml
+++ b/rules/windows/process_creation/win_using_sc_to_change_sevice_image_path_by_non_admin.yml
@@ -5,12 +5,14 @@ references:
     - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
     - https://pentestlab.blog/2017/03/30/weak-service-permissions/
 tags:
+    - attack.persistence
+    - attack.defence_evasion
     - attack.privilege_escalation
-    - attack.t1134
+    - attack.t1574.011
 status: experimental
 author: Teymur Kheirkhabarov
 date: 2019/10/26
-modified: 2019/11/11
+modified: 2020/08/29
 logsource:
     category: process_creation
     product: windows
diff --git a/rules/windows/process_creation/win_vul_java_remote_debugging.yml b/rules/windows/process_creation/win_vul_java_remote_debugging.yml
index db262a82b..654135a43 100644
--- a/rules/windows/process_creation/win_vul_java_remote_debugging.yml
+++ b/rules/windows/process_creation/win_vul_java_remote_debugging.yml
@@ -3,9 +3,7 @@ id: 8f88e3f6-2a49-48f5-a5c4-2f7eedf78710
 description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect
 author: Florian Roth
 date: 2019/01/16
-tags:
-    - attack.discovery
-    - attack.t1046
+modified: 2020/08/29
 logsource:
     category: process_creation
     product: windows
diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml
index 1437d0a68..d55be5887 100644
--- a/rules/windows/process_creation/win_webshell_detection.yml
+++ b/rules/windows/process_creation/win_webshell_detection.yml
@@ -7,10 +7,10 @@ reference:
 date: 2017/01/01
 modified: 2019/10/26
 tags:
-    - attack.privilege_escalation
     - attack.persistence
-    - attack.t1100
     - attack.t1505.003
+    - attack.privilege_escalation       # an old one
+    - attack.t1100      # an old one
 logsource:
     category: process_creation
     product: windows
diff --git a/rules/windows/process_creation/win_webshell_recon_detection.yml b/rules/windows/process_creation/win_webshell_recon_detection.yml
index 4cfba51de..ed874a0f6 100644
--- a/rules/windows/process_creation/win_webshell_recon_detection.yml
+++ b/rules/windows/process_creation/win_webshell_recon_detection.yml
@@ -7,10 +7,10 @@ reference:
     - https://ragged-lab.blogspot.com/2020/07/webshells-automating-reconnaissance.html
 date: 2020/07/22
 tags:
-    - attack.privilege_escalation
     - attack.persistence
-    - attack.t1100
     - attack.t1505.003
+    - attack.privilege_escalation       # an old one
+    - attack.t1100      # an old one
 logsource:
     category: process_creation
     product: windows
diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml
index 3d5888fe1..1135169c9 100644
--- a/rules/windows/process_creation/win_webshell_spawn.yml
+++ b/rules/windows/process_creation/win_webshell_spawn.yml
@@ -27,10 +27,10 @@ fields:
     - CommandLine
     - ParentCommandLine
 tags:
-    - attack.privilege_escalation
     - attack.persistence
-    - attack.t1100
     - attack.t1505.003
+    - attack.privilege_escalation       # an old one
+    - attack.t1100      # an old one
 falsepositives:
     - Particular web applications may spawn a shell process legitimately
 level: high
diff --git a/rules/windows/process_creation/win_whoami_as_system.yml b/rules/windows/process_creation/win_whoami_as_system.yml
index 0f3d82450..4fee1a9e5 100644
--- a/rules/windows/process_creation/win_whoami_as_system.yml
+++ b/rules/windows/process_creation/win_whoami_as_system.yml
@@ -8,8 +8,8 @@ author: Teymur Kheirkhabarov
 date: 2019/10/23
 modified: 2019/11/11
 tags:
-    - attack.discovery
     - attack.privilege_escalation
+    - attack.discovery    
     - attack.t1033
 logsource:
     category: process_creation
diff --git a/rules/windows/process_creation/win_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml
index 312fb4cd4..93db4c7d2 100644
--- a/rules/windows/process_creation/win_win10_sched_task_0day.yml
+++ b/rules/windows/process_creation/win_win10_sched_task_0day.yml
@@ -6,6 +6,7 @@ references:
     - https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe
 author: Olaf Hartong
 date: 2019/05/22
+modified: 2020/08/29
 logsource:
     category: process_creation
     product: windows
@@ -18,8 +19,7 @@ falsepositives:
     - Unknown
 tags:
     - attack.privilege_escalation
-    - attack.execution
-    - attack.t1053
-    - car.2013-08-001
     - attack.t1053.005
+    - attack.t1053      # an old one
+    - car.2013-08-001
 level: high
diff --git a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml
index b5fa97cb7..ef2451168 100644
--- a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml
+++ b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml
@@ -12,8 +12,8 @@ logsource:
     product: windows
 tags:
     - attack.persistence
-    - attack.t1084
     - attack.t1546.003
+    - attack.t1084      # an old one
 detection:
     selection:
         ParentImage: '*\EdgeTransport.exe'
diff --git a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml
index 2b1aab153..bfa4c899c 100644
--- a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml
+++ b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml
@@ -6,10 +6,12 @@ references:
     - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/
 author: Thomas Patzke
 date: 2018/03/07
+modified: 2020/08/29
 tags:
-    - attack.execution
     - attack.persistence
-    - attack.t1047
+    - attack.privilege_escalation
+    - attack.t1546.003
+    - attack.t1047 # an old one
 logsource:
     category: process_creation
     product: windows
diff --git a/rules/windows/process_creation/win_wmi_spwns_powershell.yml b/rules/windows/process_creation/win_wmi_spwns_powershell.yml
index 91a69ec67..dee9e10d6 100644
--- a/rules/windows/process_creation/win_wmi_spwns_powershell.yml
+++ b/rules/windows/process_creation/win_wmi_spwns_powershell.yml
@@ -7,11 +7,13 @@ references:
     - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
 author: Markus Neis / @Karneades
 date: 2019/04/03
+modified: 2020/08/29
 tags:
     - attack.execution
-    - attack.defense_evasion
-    - attack.t1064
+    - attack.t1047
     - attack.t1059.001
+    - attack.defense_evasion # an old one
+    - attack.t1064      # an old one
 logsource:
     category: process_creation
     product: windows
diff --git a/rules/windows/process_creation/win_wsreset_uac_bypass.yml b/rules/windows/process_creation/win_wsreset_uac_bypass.yml
index 61622933d..6b7116aec 100644
--- a/rules/windows/process_creation/win_wsreset_uac_bypass.yml
+++ b/rules/windows/process_creation/win_wsreset_uac_bypass.yml
@@ -8,11 +8,12 @@ references:
     - https://twitter.com/ReaQta/status/1222548288731217921
 author: Florian Roth
 date: 2020/01/30
+modified: 2020/08/29
 tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1088
+    - attack.privilege_escalation
+    - attack.defense_evasion 
     - attack.t1548.002
+    - attack.t1088      # an old one
 logsource:
     category: process_creation
     product: windows
diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml
index 5bcc4bda4..a25ce1307 100644
--- a/rules/windows/process_creation/win_xsl_script_processing.yml
+++ b/rules/windows/process_creation/win_xsl_script_processing.yml
@@ -22,5 +22,6 @@ falsepositives:
     - msxsl.exe is not installed by default so unlikely.
 level: medium
 tags:
-    - attack.execution
+    - attack.defense_evasion
     - attack.t1220
+    - attack.execution # an old one