From a2fc57fa527a2e34c690eaf88de37cb832d7cdac Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Thu, 10 Nov 2022 17:04:02 +0100
Subject: [PATCH] fix: update rule to move takeown

---
 .../proc_creation_win_file_permission_modifications.yml    | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml b/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml
index abd1ed225..53f07c5be 100644
--- a/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml
+++ b/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml
@@ -7,7 +7,7 @@ references:
     - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)
 author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali
 date: 2019/10/23
-modified: 2022/09/13
+modified: 2022/11/10
 tags:
     - attack.defense_evasion
     - attack.t1222.001
@@ -15,9 +15,8 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
+    selection1:
         Image|endswith:
-            - '\takeown.exe'
             - '\cacls.exe'
             - '\icacls.exe'
             - '\net.exe' # Option available when used with "net share"
@@ -26,6 +25,8 @@ detection:
     selection2:
         Image|endswith: '\attrib.exe'
         CommandLine|contains: '-r'
+    selection3:
+        Image|endswith: '\takeown.exe'
     filter_reset:
         CommandLine|endswith: 'ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset'
     filter_grant: