diff --git a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml
index 6cf6d94e0..fd3689fca 100644
--- a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml
+++ b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml
@@ -9,9 +9,10 @@ date: 2022/10/12
 modified: 2023/01/25
 tags:
     - attack.command_and_control
-    - attack.t1572
     - attack.lateral_movement
+    - attack.t1572
     - attack.t1021.001
+    - attack.t1021.004
 logsource:
     category: process_creation
     product: windows