mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2025-01-30 23:33:04 +01:00
33 lines
1.2 KiB
YAML
33 lines
1.2 KiB
YAML
---
|
|
Name: Replace.exe
|
|
Description: Used to replace file with another file
|
|
Author: Oddvar Moe
|
|
Created: 2018-05-25
|
|
Commands:
|
|
- Command: replace.exe {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE:folder} /A
|
|
Description: Copy .cab file to destination
|
|
Usecase: Copy files
|
|
Category: Copy
|
|
Privileges: User
|
|
MitreID: T1105
|
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
|
- Command: replace.exe {PATH_SMB:.exe} {PATH_ABSOLUTE:folder} /A
|
|
Description: Download/Copy executable to specified folder
|
|
Usecase: Download file
|
|
Category: Download
|
|
Privileges: User
|
|
MitreID: T1105
|
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
|
|
Full_Path:
|
|
- Path: C:\Windows\System32\replace.exe
|
|
- Path: C:\Windows\SysWOW64\replace.exe
|
|
Detection:
|
|
- IOC: Replace.exe retrieving files from remote server
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml
|
|
Resources:
|
|
- Link: https://twitter.com/elceef/status/986334113941655553
|
|
- Link: https://twitter.com/elceef/status/986842299861782529
|
|
Acknowledgement:
|
|
- Person: elceef
|
|
Handle: '@elceef'
|