Revert "Changed the rule to download only and not the copy"

This reverts commit 1324bc1ad1.
2024-11-07 01:45:21 +00:00 · 2020-10-13 17:40:07 -03:00 · 2020-10-13 17:40:07 -03:00 · 1455d414bc
commit 1455d414bc
parent 1324bc1ad1
1 changed files with 3 additions and 3 deletions
--- a/rules/windows/process_creation/win_susp_replace_lolbin.yml
+++ b/rules/windows/process_creation/win_susp_replace_lolbin.yml
@ -1,6 +1,6 @@
 title: Ingress Tool Transfer Using Replace.exe
 id: 6ccf0c00-1061-4195-a724-6d9c0058b036
-description: Detect Download operations using Replace.exe.
+description: Detect Copy and Download operations using Replace.exe.
 status: experimental
 references:
  - https://lolbas-project.github.io/lolbas/Binaries/Replace
@ -16,10 +16,10 @@ detection:
  selection:
    Image|endswith:
      - '\replace.exe'
-    CommandLine|contains|all:
+    CommandLine|contains:
      - "\\\\\\\\"
      - "/A"
  condition: selection
 falsepositives:
-  - Legitimate use of the binary to download files from a share
+  - Legitimate use of the binary
 level: low