diff --git a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml
index c5e79d6ba..fe216e591 100644
--- a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml
+++ b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml
@@ -3,6 +3,9 @@ status: experimental
 description: Detects execution of sdbinst writing to default shim database path C:\Windows\AppPatch\*
 references:
     - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
+tags:
+    - attack.persistence
+    - attack.T1138
 author: Markus Neis
 date: 2018/03/08
 logsource: