diff --git a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml
index 178901d5c..22a7953bc 100644
--- a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml
+++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml
@@ -8,7 +8,7 @@ author: Florian Roth
 date: 2018/02/22
 tags:
     - attack.defense_evasion
-    - attack.1036
+    - attack.t1036
 logsource:
     category: process_creation
     product: windows
diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml
index e30909a5f..856e4a2ad 100644
--- a/rules/windows/process_creation/win_malware_script_dropper.yml
+++ b/rules/windows/process_creation/win_malware_script_dropper.yml
@@ -5,7 +5,7 @@ author: Margaritis Dimitrios (idea), Florian Roth (rule)
 tags:
     - attack.defense_evasion
     - attack.execution
-    - attack.1064
+    - attack.t1064
 logsource:
     category: process_creation
     product: windows
diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml
index 27a998e0e..def8d4965 100644
--- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml
+++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml
@@ -4,7 +4,7 @@ description: Detects a suspicious program execution in a web service root folder
 author: Florian Roth
 tags:
     - attack.persistence
-    - attack.1100
+    - attack.t1100
 logsource:
     category: process_creation
     product: windows