Forfiles.EXE Child Process Masquerading
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
Sigma rule (View on GitHub)
1title: Forfiles.EXE Child Process Masquerading
2id: f53714ec-5077-420e-ad20-907ff9bb2958
3status: experimental
4description: |
5 Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
6references:
7 - https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
8author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
9date: 2024/01/05
10tags:
11 - attack.defense_evasion
12 - attack.t1036
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 # Notes:
19 # - The parent must not have CLI options
20 # - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary
21 # - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary
22 ParentCommandLine|endswith:
23 - '.exe'
24 - '.exe"'
25 Image|endswith: '\cmd.exe'
26 CommandLine|startswith: '/c echo "'
27 filter_main_parent_not_sys:
28 ParentImage|contains:
29 - ':\Windows\System32\'
30 - ':\Windows\SysWOW64\'
31 ParentImage|endswith: '\forfiles.exe'
32 Image|contains:
33 - ':\Windows\System32\'
34 - ':\Windows\SysWOW64\'
35 Image|endswith: '\cmd.exe'
36 condition: selection and not 1 of filter_main_*
37falsepositives:
38 - Unknown
39level: high
References
-
The forfiles.exe program is a well-known lolbin. Its power comes from the /c command line argument that helps to specify a command that we want to execute for each item found by the program when it...
Read More
Related rules
- PUA - Potential PE Metadata Tamper Using Rcedit
- Procdump Execution
- Renamed CreateDump Utility Execution
- Suspicious MSDT Parent Process
- Execution from Suspicious Folder