title: Ingress Tool Transfer Using Replace.exe
id: 6ccf0c00-1061-4195-a724-6d9c0058b036
description: Detect Download operations using Replace.exe.
status: experimental
references:
  - https://lolbas-project.github.io/lolbas/Binaries/Replace
author: Jonhnathan Ribeiro, oscd.community
date: 2020/10/07
tags:
  - attack.command_and_control
  - attack.t1105
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\replace.exe'
    CommandLine|contains|all:
      - "\\\\\\\\"
      - "/A"
  condition: selection
falsepositives:
  - Legitimate use of the binary to download files from a share
level: low