diff --git a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml
index 5bec5a7db..09ee432b1 100644
--- a/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml
+++ b/rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml
@@ -5,7 +5,7 @@ references:
     - https://github.com/GhostPack/SafetyKatz
 tags:
     - attack.credential_access
-    - attack.T1003
+    - attack.t1003
 author: Markus Neis
 date: 2018/24/07
 logsource:
diff --git a/rules/windows/sysmon/sysmon_mal_namedpipes.yml b/rules/windows/sysmon/sysmon_mal_namedpipes.yml
index 27b56e74c..b3026ab6e 100644
--- a/rules/windows/sysmon/sysmon_mal_namedpipes.yml
+++ b/rules/windows/sysmon/sysmon_mal_namedpipes.yml
@@ -31,7 +31,7 @@ detection:
    condition: selection
 tags:
     - attack.defense_evasion
-    - attack.privelege_escalation
+    - attack.privilege_escalation
     - attack.t1055
 falsepositives:
    - Unkown
diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml
index c226ffe44..dce5d9e8c 100644
--- a/rules/windows/sysmon/sysmon_office_shell.yml
+++ b/rules/windows/sysmon/sysmon_office_shell.yml
@@ -9,7 +9,7 @@ tags:
     - attack.execution
     - attack.defense_evasion
     - attack.t1059
-    - attack.T1202
+    - attack.t1202
 author: Michael Haag, Florian Roth, Markus Neis
 date: 2018/04/06
 logsource:
diff --git a/rules/windows/sysmon/sysmon_powersploit_schtasks.yml b/rules/windows/sysmon/sysmon_powersploit_schtasks.yml
index 86a14c219..b0574753c 100644
--- a/rules/windows/sysmon/sysmon_powersploit_schtasks.yml
+++ b/rules/windows/sysmon/sysmon_powersploit_schtasks.yml
@@ -21,7 +21,7 @@ detection:
 tags:
     - attack.execution
     - attack.persistence
-    - attack.privelege_escalation
+    - attack.privilege_escalation
     - attack.t1053
     - attack.t1086
     - attack.s0111
diff --git a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml b/rules/windows/sysmon/sysmon_susp_schtask_creation.yml
index 0183aeca7..3855cb81c 100644
--- a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml
+++ b/rules/windows/sysmon/sysmon_susp_schtask_creation.yml
@@ -19,7 +19,7 @@ fields:
 tags:
     - attack.execution
     - attack.persistence
-    - attack.privelege_escalation
+    - attack.privilege_escalation
     - attack.t1053
     - attack.s0111
 falsepositives: