diff --git a/rules/windows/sysmon/sysmon_susp_certutil_command.yml b/rules/windows/sysmon/sysmon_susp_certutil_command.yml
index d3da2ec2a..37da13112 100644
--- a/rules/windows/sysmon/sysmon_susp_certutil_command.yml
+++ b/rules/windows/sysmon/sysmon_susp_certutil_command.yml
@@ -25,6 +25,11 @@ detection:
 fields:
     - CommandLine
     - ParentCommandLine
+tags:
+    - attack.defense_evasion
+    - attack.t1140
+    - attack.s0189
+    - attack.g0007
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment
 level: high