diff --git a/rules/linux/auditd/lnx_auditd_data_compressed.yml b/rules/linux/auditd/lnx_auditd_data_compressed.yml
index 1a54bfcf4..f16de36cd 100644
--- a/rules/linux/auditd/lnx_auditd_data_compressed.yml
+++ b/rules/linux/auditd/lnx_auditd_data_compressed.yml
@@ -9,6 +9,7 @@ date: 2019-10-21
 modified: 2023-07-28
 tags:
     - attack.exfiltration
+    - attack.collection
     - attack.t1560.001
 logsource:
     product: linux
diff --git a/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml b/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml
index 5463640d8..31ab0aab9 100644
--- a/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml
+++ b/rules/macos/process_creation/proc_creation_macos_hdiutil_mount.yml
@@ -10,6 +10,7 @@ author: Omar Khaled (@beacon_exe)
 date: 2024-08-10
 tags:
     - attack.initial-access
+    - attack.collection
     - attack.t1566.001
     - attack.t1560.001
 logsource:
diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
index bb632c13a..3c9c83f8d 100644
--- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
+++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml
@@ -15,6 +15,7 @@ author: '@neu5ron, @Antonlovesdnb, Mike Remen'
 date: 2021-08-17
 modified: 2022-11-28
 tags:
+    - attack.credential-access
     - attack.t1557.001
     - attack.t1187
 logsource:
diff --git a/rules/windows/builtin/security/win_security_alert_ruler.yml b/rules/windows/builtin/security/win_security_alert_ruler.yml
index 3c3ce3c84..be36a4e70 100644
--- a/rules/windows/builtin/security/win_security_alert_ruler.yml
+++ b/rules/windows/builtin/security/win_security_alert_ruler.yml
@@ -14,6 +14,7 @@ modified: 2022-10-09
 tags:
     - attack.discovery
     - attack.execution
+    - attack.collection
     - attack.t1087
     - attack.t1114
     - attack.t1059
diff --git a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml
index 63dddc65f..1b85ee70f 100644
--- a/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml
+++ b/rules/windows/builtin/system/microsoft_windows_distributed_com/win_system_lpe_indicators_tabtip.yml
@@ -9,6 +9,7 @@ date: 2022-10-07
 modified: 2023-04-14
 tags:
     - attack.execution
+    - attack.credential-access
     - attack.t1557.001
 logsource:
     product: windows
diff --git a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml
index 25650868e..554bd200a 100644
--- a/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml
+++ b/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml
@@ -14,6 +14,7 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022-12-23
 tags:
     - attack.credential-access
+    - attack.collection
     - attack.t1185
 logsource:
     category: process_creation
diff --git a/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml
index 7199a169a..250721d52 100644
--- a/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml
+++ b/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml
@@ -15,6 +15,7 @@ date: 2022-07-27
 modified: 2022-12-23
 tags:
     - attack.credential-access
+    - attack.collection
     - attack.t1185
 logsource:
     category: process_creation
diff --git a/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml b/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml
index 73463a3fa..94db90c07 100644
--- a/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml
+++ b/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml
@@ -14,6 +14,7 @@ date: 2021-07-24
 modified: 2023-02-14
 tags:
     - attack.execution
+    - attack.credential-access
     - attack.t1557.001
 logsource:
     category: process_creation