Create win_susp_replace_lolbin.yml

Item 77 of #1014
2024-11-07 01:45:21 +00:00 · 2020-10-07 10:37:15 -03:00 · 2020-10-07 10:37:15 -03:00 · e6a6549676
commit e6a6549676
parent c56cd2dfff
1 changed files with 25 additions and 0 deletions
--- a/rules/windows/process_creation/win_susp_replace_lolbin.yml
+++ b/rules/windows/process_creation/win_susp_replace_lolbin.yml
@ -0,0 +1,25 @@
+title: Ingress Tool Transfer Using Replace.exe
+id: 6ccf0c00-1061-4195-a724-6d9c0058b036
+description: Detect Copy and Download operations using Replace.exe.
+status: experimental
+references:
+  - https://lolbas-project.github.io/lolbas/Binaries/Replace
+author: Jonhnathan Ribeiro, oscd.community
+date: 2020/10/07
+tags:
+  - attack.command_and_control
+  - attack.t1105
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    Image|endswith:
+      - '\replace.exe'
+    CommandLine|contains:
+      - "\\\\\\\\"
+      - "/A"
+  condition: selection
+falsepositives:
+  - Legitimate use of the binary
+level: low