diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml
index 56f95a94e..c40dbbf3a 100644
--- a/rules/windows/process_creation/win_file_permission_modifications.yml
+++ b/rules/windows/process_creation/win_file_permission_modifications.yml
@@ -16,9 +16,10 @@ detection:
       - '\takeown.exe'
       - '\cacls.exe'
       - '\icacls.exe'
-    CommandLine|contains: '/grant'
-    Image|endswith: '\attrib.exe'
-    CommandLine|contains: '-r'
+      - '\attrib.exe'
+    CommandLine|contains: 
+      - '/grant'
+      - '-r'
   filter:
     CommandLine: 
       - 'C:\Windows\system32\cmd.exe /C ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset'