diff --git a/rules/apt/apt_apt29_tor.yml b/rules/apt/apt_apt29_tor.yml
index 6fcadf46d..b3fd89d18 100755
--- a/rules/apt/apt_apt29_tor.yml
+++ b/rules/apt/apt_apt29_tor.yml
@@ -5,9 +5,9 @@ description: 'This method detects malicious services mentioned in APT29 report b
 references:
     - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
 tags:
-    - attack.command_and_control
+    - attack.persistence
     - attack.g0016
-    - attack.t1172
+    - attack.t1050
 logsource:
     product: windows
     service: system