From 7819a3b96ed0320239a3e597edb03550d8d101e3 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Thu, 7 Apr 2022 14:46:58 +0200
Subject: [PATCH] Update tags

---
 .../proc_creation_win_infdefaultinstall.yml               | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml b/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml
index bbaf8eb63..85986ef84 100644
--- a/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml
+++ b/rules/windows/process_creation/proc_creation_win_infdefaultinstall.yml
@@ -5,11 +5,8 @@ author: frack113
 date: 2021/07/13
 description: Executes SCT script using scrobj.dll from a command in entered into a specially prepared INF file.
 references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution
     - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml
-tags:
-    - attack.defense_evasion
-    - attack.t1562.001
 logsource:
     category: process_creation
     product: windows
@@ -27,3 +24,6 @@ fields:
 falsepositives:
     - Unknown
 level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1218
\ No newline at end of file