From eee2ace2c6f00f0195cdda04770ff2083950bf98 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@protonmail.com>
Date: Fri, 16 Oct 2020 11:05:03 -0300
Subject: [PATCH] Revert "Revert "Changed the rule to download only and not the
 copy""

This reverts commit b0ddaf5ac986d15ede1142fb22e37d56d047ffa9.
---
 rules/windows/process_creation/win_susp_replace_lolbin.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/process_creation/win_susp_replace_lolbin.yml b/rules/windows/process_creation/win_susp_replace_lolbin.yml
index d530fec79..9dbdb1e21 100644
--- a/rules/windows/process_creation/win_susp_replace_lolbin.yml
+++ b/rules/windows/process_creation/win_susp_replace_lolbin.yml
@@ -1,6 +1,6 @@
 title: Ingress Tool Transfer Using Replace.exe
 id: 6ccf0c00-1061-4195-a724-6d9c0058b036
-description: Detect Copy and Download operations using Replace.exe.
+description: Detect Download operations using Replace.exe.
 status: experimental
 references:
   - https://lolbas-project.github.io/lolbas/Binaries/Replace
@@ -16,10 +16,10 @@ detection:
   selection:
     Image|endswith:
       - '\replace.exe'
-    CommandLine|contains:
+    CommandLine|contains|all:
       - "\\\\\\\\"
       - "/A"
   condition: selection
 falsepositives:
-  - Legitimate use of the binary
+  - Legitimate use of the binary to download files from a share
 level: low