diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml
new file mode 100644
index 00000000..d530fec7
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_replace_lolbin.yml
@@ -0,0 +1,25 @@
+title: Ingress Tool Transfer Using Replace.exe
+id: 6ccf0c00-1061-4195-a724-6d9c0058b036
+description: Detect Copy and Download operations using Replace.exe.
+status: experimental
+references:
+  - https://lolbas-project.github.io/lolbas/Binaries/Replace
+author: Jonhnathan Ribeiro, oscd.community
+date: 2020/10/07
+tags:
+  - attack.command_and_control
+  - attack.t1105
+logsource:
+  category: process_creation
+  product: windows
+detection:
+  selection:
+    Image|endswith:
+      - '\replace.exe'
+    CommandLine|contains:
+      - "\\\\\\\\"
+      - "/A"
+  condition: selection
+falsepositives:
+  - Legitimate use of the binary
+level: low