From 3624a7d5da2a306e5b011303fc016d9a6ba7054b Mon Sep 17 00:00:00 2001
From: yugoslavskiy <daniil@yugoslavskiy.com>
Date: Fri, 8 Nov 2019 02:51:42 +0300
Subject: [PATCH] Update win_file_permission_modifications.yml

---
 .../win_file_permission_modifications.yml     | 21 +++++++++----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml
index 9e3ce01a..fc2d7bd1 100644
--- a/rules/windows/process_creation/win_file_permission_modifications.yml
+++ b/rules/windows/process_creation/win_file_permission_modifications.yml
@@ -5,6 +5,7 @@ references:
     - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml
 author: Jakob Weinzettl, oscd.community
 date: 2019/10/23
+modified: 2019/11/08
 tags:
     - attack.defense_evasion
     - attack.t1222
@@ -12,17 +13,15 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection1:
-        CommandLine: 'takeown.exe'
-    selection2:
-        CommandLine: 'cacls.exe' # covers both cacls and icacls
-    selection3:
-        CommandLine: '/grant'
-    selection4:
-        CommandLine: 'attrib.exe'
-    selection5:
-        CommandLine: '-r'
-    condition: selection1 or selection2 and selection3 or selection4 and selection5
+    selection:
+      - Image|endswith: '\takeown.exe'
+      - Image|endswith: 
+            - '\cacls.exe'
+            - '\icacls.exe'
+        CommandLine|contains: '/grant'
+      - Image|endswith: '\attrib.exe'
+        CommandLine|contains: '-r'
+    condition: selection
 falsepositives:
     - Users interacting with the files on their own (unlikely unless power users)
 level: medium