This analytic rule monitors for potentially malicious modifications of file or directory permissions using the takeown.exe application on Windows systems. The detection leverages logs from various sources including Sysmon, Windows Event Logs (specifically Security Event ID 4688), and CrowdStrike's EDR product, capturing process execution details such as process name, process ID, command-line arguments, and parent process name. The focus on takeown.exe is critical, as its misuse is prevalent among ransomware attacks wherein attackers modify file ownership to facilitate data encryption or deletion. Unauthorized changes to file permissions can severely compromise the integrity and availability of essential data, making this rule vital for early threat detection and response. Implementation requires the ingestion of relevant command-line execution logs and ensuring they align with the Splunk Common Information Model (CIM) for effective data modeling.