From e01083a62504188d044cc564dd12f72a62196479 Mon Sep 17 00:00:00 2001
From: megan201296 <megansroddie@gmail.com>
Date: Mon, 11 Apr 2022 10:41:46 -0500
Subject: [PATCH] Change MITRE ATT&CK tactic ID

The subtechnique `.011` is  specific to RunDLL32 proxy execution. There is no existing sub-technique specific to wuauclt.exe so only the top level technique should be referenced.
---
 .../proc_creation_win_lolbas_execution_of_wuauclt.yml           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_execution_of_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_lolbas_execution_of_wuauclt.yml
index bae3fad54..5e00849c5 100644
--- a/rules/windows/process_creation/proc_creation_win_lolbas_execution_of_wuauclt.yml
+++ b/rules/windows/process_creation/proc_creation_win_lolbas_execution_of_wuauclt.yml
@@ -29,4 +29,4 @@ level: medium
 tags:
     - attack.defense_evasion
     - attack.execution
-    - attack.t1218.011
+    - attack.t1218