Forfiles Command Execution

 1title: Forfiles Command Execution
 2id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b
 3related:
 4    - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
 5      type: obsoletes
 6    - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
 7      type: obsoletes
 8status: test
 9description: |
10    Detects the execution of "forfiles" with the "/c" flag.
11    While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.
12    Can be used to bypass application whitelisting.    
13references:
14    - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
15    - https://pentestlab.blog/2020/07/06/indirect-command-execution/
16author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
17date: 2022/06/14
18modified: 2024/03/05
19tags:
20    - attack.execution
21    - attack.t1059
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_img:
27        - Image|endswith: '\forfiles.exe'
28        - OriginalFileName: 'forfiles.exe'
29    selection_cli:
30        CommandLine|contains|windash: ' -c '
31    condition: all of selection_*
32falsepositives:
33    - Legitimate use via a batch script or by an administrator.
34level: medium

References

• Forfiles | LOLBAS

  Executes the evil.exe Alternate Data Stream (AD) since there is a match for notepad.exe in the c:\windows\system32 folder. forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:ev...

  
  Read More

• Indirect Command Execution

  

  The windows ecosystem provides multiple binaries that could be used by adversaries to execute arbitrary commands that will evade detection especially in environments that are monitoring binaries su…

  
  Read More

Related rules

• Add Insecure Download Source To Winget
• Add New Download Source To Winget
• HackTool - Stracciatella Execution
• Install New Package Via Winget Local Manifest
• Potential Xterm Reverse Shell