fix: update rule to move takeown

rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml

@@ -7,7 +7,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)
 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali
 date: 2019/10/23
-modified: 2022/09/13
+modified: 2022/11/10
 tags:
     - attack.defense_evasion
     - attack.t1222.001
@@ -15,9 +15,8 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection1:
         Image|endswith:
-            - '\takeown.exe'
             - '\cacls.exe'
             - '\icacls.exe'
             - '\net.exe' # Option available when used with "net share"
@@ -26,6 +25,8 @@ detection:
     selection2:
         Image|endswith: '\attrib.exe'
         CommandLine|contains: '-r'
+    selection3:
+        Image|endswith: '\takeown.exe'
     filter_reset:
         CommandLine|endswith: 'ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset'
     filter_grant: