diff --git a/rules/windows/process_access/sysmon_invoke_phantom.yml b/rules/windows/process_access/sysmon_invoke_phantom.yml
index c90377b16..fd32409c6 100755
--- a/rules/windows/process_access/sysmon_invoke_phantom.yml
+++ b/rules/windows/process_access/sysmon_invoke_phantom.yml
@@ -9,6 +9,7 @@ references:
     - https://twitter.com/timbmsft/status/900724491076214784
 tags:
     - attack.t1089
+    - attck.t1562.001
     - attack.defense_evasion
 logsource:
     category: process_access