Forfiles Command Execution

Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.

Sigma rule (View on GitHub)

 1title: Forfiles Command Execution
 2id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b
 3related:
 4    - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
 5      type: obsoletes
 6    - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
 7      type: obsoletes
 8status: test
 9description: |
10    Detects the execution of "forfiles" with the "/c" flag.
11    While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.
12    Can be used to bypass application whitelisting.    
13references:
14    - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
15    - https://pentestlab.blog/2020/07/06/indirect-command-execution/
16author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
17date: 2022/06/14
18modified: 2024/01/05
19tags:
20    - attack.execution
21    - attack.t1059
22logsource:
23    category: process_creation
24    product: windows
25detection:
26    selection_img:
27        - Image|endswith: '\forfiles.exe'
28        - OriginalFileName: 'forfiles.exe'
29    selection_cli:
30        CommandLine|contains:
31            - ' /c '
32            - ' -c '
33    condition: all of selection_*
34falsepositives:
35    - Legitimate use via a batch script or by an administrator.
36level: medium

References

Related rules

to-top