Merge pull request #2676 from redsand/fp_allow_dynatrace_behavior

Filtering fp of dynatrace behavior

rules/windows/process_creation/win_file_permission_modifications.yml

@@ -6,27 +6,35 @@ author: Jakob Weinzettl, oscd.community
 references:
   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md
 date: 2019/10/23
-modified: 2021/11/27
+modified: 2022/02/11
 logsource:
   category: process_creation
   product: windows
 detection:
   selection:
-    - Image|endswith:
-        - '\takeown.exe'
-        - '\cacls.exe'
-        - '\icacls.exe'
-      CommandLine|contains: '/grant'
-    - Image|endswith: '\attrib.exe'
-      CommandLine|contains: '-r'
-  condition: selection
+    Image|endswith:
+      - '\takeown.exe'
+      - '\cacls.exe'
+      - '\icacls.exe'
+    CommandLine|contains: '/grant'
+  selection2:
+    Image|endswith: '\attrib.exe'
+    CommandLine|contains: '-r'
+  filter_reset:
+    CommandLine|endswith: 'ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset'
+  filter_grant:
+    CommandLine|contains|all:
+      - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r '
+      - 'S-1-5-19:F'
+  condition: selection or selection2 and not 1 of filter*
 fields:
   - ComputerName
   - User
   - CommandLine
 falsepositives:
   - Users interacting with the files on their own (unlikely unless privileged users).
+  - Dynatrace app
 level: medium
 tags:
   - attack.defense_evasion
-  - attack.t1222.001
+  - attack.t1222.001