Forfiles Command Execution

 1title: Forfiles Command Execution
 2id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b
 3related:
 4    - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
 5      type: obsolete
 6    - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
 7      type: obsolete
 8status: test
 9description: |
10    Detects the execution of "forfiles" with the "/c" flag.
11    While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.
12    Can be used to bypass application whitelisting.    
13references:
14    - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
15    - https://pentestlab.blog/2020/07/06/indirect-command-execution/
16author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
17date: 2022-06-14
18modified: 2024-03-05
19tags:
20    - attack.execution
21    - attack.t1059
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_img:
27        - Image|endswith: '\forfiles.exe'
28        - OriginalFileName: 'forfiles.exe'
29    selection_cli:
30        CommandLine|contains|windash: ' -c '
31    condition: all of selection_*
32falsepositives:
33    - Legitimate use via a batch script or by an administrator.
34level: medium

References

• Forfiles on LOLBAS

  

  Forfiles.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Indirect Command Execution

  

  The windows ecosystem provides multiple binaries that could be used by adversaries to execute arbitrary commands that will evade detection especially in environments that are monitoring binaries su…

  
  Read More

Related rules

• Abusable DLL Potential Sideloading From Suspicious Location
• Add Insecure Download Source To Winget
• Add New Download Source To Winget
• Atlassian Confluence CVE-2022-26134
• Azure New CloudShell Created