security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Revert "Changed the rule to download only and not the copy""

Browse Source 
This reverts commit b0ddaf5ac9.
This commit is contained in:
Jonhnathan
2020-10-16 11:05:03 -03:00
parent ec32341e89
commit eee2ace2c6
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/win_susp_replace_lolbin.yml
+3 -3
View File
@@ -1,6 +1,6 @@
title: Ingress Tool Transfer Using Replace.exe
id: 6ccf0c00-1061-4195-a724-6d9c0058b036
description: Detect Copy and Download operations using Replace.exe.
description: Detect Download operations using Replace.exe.
status: experimental
references:
- https://lolbas-project.github.io/lolbas/Binaries/Replace
@@ -16,10 +16,10 @@ detection:
selection:
Image|endswith:
- '\replace.exe'
CommandLine|contains:
CommandLine|contains|all:
- "\\\\\\\\"
- "/A"
condition: selection
falsepositives:
- Legitimate use of the binary
- Legitimate use of the binary to download files from a share
level: low