From 05b91847cdd77b393b7e6ebe3473789e8a024968 Mon Sep 17 00:00:00 2001
From: Suleyman Ozarslan <suleyman@picussecurity.com>
Date: Thu, 19 Jul 2018 16:42:39 +0300
Subject: [PATCH] ATT&CK tagging of Suspicious Certutil Command rule

---
 rules/windows/sysmon/sysmon_susp_certutil_command.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/rules/windows/sysmon/sysmon_susp_certutil_command.yml b/rules/windows/sysmon/sysmon_susp_certutil_command.yml
index d3da2ec2a..37da13112 100644
--- a/rules/windows/sysmon/sysmon_susp_certutil_command.yml
+++ b/rules/windows/sysmon/sysmon_susp_certutil_command.yml
@@ -25,6 +25,11 @@ detection:
 fields:
     - CommandLine
     - ParentCommandLine
+tags:
+    - attack.defense_evasion
+    - attack.t1140
+    - attack.s0189
+    - attack.g0007
 falsepositives:
     - False positives depend on scripts and administrative tools used in the monitored environment
 level: high