Merge pull request #1234 from w0rk3r/oscd1

[OSCD] Update win_susp_replace_lolbin.yml

rules/windows/process_creation/win_susp_replace_lolbin.yml

@@ -0,0 +1,25 @@
+title: Ingress Tool Transfer Using Replace.exe
+id: 6ccf0c00-1061-4195-a724-6d9c0058b036
+description: Detect Download operations using Replace.exe.
+status: experimental
+references:
+  - https://lolbas-project.github.io/lolbas/Binaries/Replace
+author: Jonhnathan Ribeiro, oscd.community
+date: 2020/10/07
+tags:
+  - attack.command_and_control
+  - attack.t1105
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    Image|endswith:
+      - '\replace.exe'
+    CommandLine|contains|all:
+      - '\\\'
+      - '/A'
+  condition: selection
+falsepositives:
+  - Legitimate use of the binary to download files from a share
+level: low