From 6dde3012cc47fa3f3681b0eb9c41d15f8a4d6c87 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Mon, 11 Jul 2022 19:55:54 +0200
Subject: [PATCH] refactor: some changes

---
 .../windows/pipe_created/pipe_created_koh_default_pipe.yml  | 6 ++++--
 .../powershell_script/posh_ps_import_module_susp_dirs.yml   | 4 ++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml b/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml
index 3c3215b83..48c795a94 100644
--- a/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml
+++ b/rules/windows/pipe_created/pipe_created_koh_default_pipe.yml
@@ -17,7 +17,9 @@ detection:
     condition: selection
 falsepositives:
     - Unlikely
-level: high
+level: critical
 tags:
-    - attack.defense_evasion
     - attack.privilege_escalation
+    - attack.credential_access
+    - attack.t1528
+    - attack.t1134.001
diff --git a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml
index 79d431191..f73b2a6f8 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_import_module_susp_dirs.yml
@@ -33,5 +33,5 @@ falsepositives:
     - Unknown
 level: medium
 tags:
-    - attack.lateral_movement
-    - attack.t1021.006
+    - attack.execution
+    - attack.t1059.001