From 0bbad3bbf83c60df8ab75da209c7113023b07d4a Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Tue, 2 Sep 2025 16:18:35 +0100
Subject: [PATCH] Update defense_evasion_modify_ownership_os_files.toml (#5051)

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
---
 .../defense_evasion_modify_ownership_os_files.toml        | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/windows/defense_evasion_modify_ownership_os_files.toml b/rules/windows/defense_evasion_modify_ownership_os_files.toml
index b3de6cf3d..21d79ba0e 100644
--- a/rules/windows/defense_evasion_modify_ownership_os_files.toml
+++ b/rules/windows/defense_evasion_modify_ownership_os_files.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/09/01"
 integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 maturity = "production"
-updated_date = "2025/09/01"
+updated_date = "2025/09/02"
 
 
 [rule]
@@ -22,10 +22,10 @@ index = [
 ]
 language = "eql"
 license = "Elastic License v2"
-name = "System File Onwership Change"
+name = "System File Ownership Change"
 note = """## Triage and analysis
 
-### Investigating System File Onwership Change
+### Investigating System File Ownership Change
 
 Adversaries may modify file or directory ownership to evade access control lists (ACLs) and access protected files.
 
@@ -83,7 +83,7 @@ process where host.os.type == "windows" and event.type == "start" and
   (
    (process.name : "icacls.exe" and process.args : "/reset") or
    (process.name : "takeown.exe" and process.args : "/f") or
-   (process.name : "/grant" and process.args : "grant" and process.args : "Everyone:F")
+   (process.name : "icacls.exe" and process.args : "/grant" and process.args : "Everyone:F")
    ) and
    process.command_line : "*.exe *C:\\Windows\\*"
 '''