From e47bee2d4eb5e639a26cdee95a78f0593044f43e Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@protonmail.com>
Date: Fri, 16 Oct 2020 09:10:48 -0300
Subject: [PATCH] Revert "Create win_susp_replace_lolbin.yml"

This reverts commit e6a65496768a460d32de0b7d9742ce969fb4ea5d.
---
 .../win_susp_replace_lolbin.yml               | 25 -------------------
 1 file changed, 25 deletions(-)
 delete mode 100644 rules/windows/process_creation/win_susp_replace_lolbin.yml

diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml
deleted file mode 100644
index d530fec79..000000000
--- a/rules/windows/process_creation/win_susp_replace_lolbin.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-title: Ingress Tool Transfer Using Replace.exe
-id: 6ccf0c00-1061-4195-a724-6d9c0058b036
-description: Detect Copy and Download operations using Replace.exe.
-status: experimental
-references:
-  - https://lolbas-project.github.io/lolbas/Binaries/Replace
-author: Jonhnathan Ribeiro, oscd.community
-date: 2020/10/07
-tags:
-  - attack.command_and_control
-  - attack.t1105
-logsource:
-  category: process_creation
-  product: windows
-detection:
-  selection:
-    Image|endswith:
-      - '\replace.exe'
-    CommandLine|contains:
-      - "\\\\\\\\"
-      - "/A"
-  condition: selection
-falsepositives:
-  - Legitimate use of the binary
-level: low