diff --git a/rules/linux/auditd/lnx_auditd_susp_cmds.yml b/rules/linux/auditd/lnx_auditd_susp_cmds.yml
index e05847324..1b18d682c 100644
--- a/rules/linux/auditd/lnx_auditd_susp_cmds.yml
+++ b/rules/linux/auditd/lnx_auditd_susp_cmds.yml
@@ -6,7 +6,7 @@ references:
     - Internal Research - mostly derived from exploit code including code in MSF
 tags:
     - attack.execution
-    - attack.1059.004
+    - attack.t1059.004
 date: 2017/12/12
 author: Florian Roth
 logsource: