← Back to Explore
sigmahighHunting
Forfiles.EXE Child Process Masquerading
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
Detection Query
selection:
ParentCommandLine|endswith:
- .exe
- .exe"
Image|endswith: \cmd.exe
CommandLine|startswith: /c echo "
filter_main_parent_not_sys:
ParentImage|contains:
- :\Windows\System32\
- :\Windows\SysWOW64\
ParentImage|endswith: \forfiles.exe
Image|contains:
- :\Windows\System32\
- :\Windows\SysWOW64\
Image|endswith: \cmd.exe
condition: selection and not 1 of filter_main_*
Author
Nasreddine Bencherchali (Nextron Systems), Anish Bogati
Created
2024-01-05
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.defense-evasionattack.t1036
Raw Content
title: Forfiles.EXE Child Process Masquerading
id: f53714ec-5077-420e-ad20-907ff9bb2958
status: test
description: |
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
references:
- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2024-01-05
tags:
- attack.defense-evasion
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
# Notes:
# - The parent must not have CLI options
# - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary
# - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary
ParentCommandLine|endswith:
- '.exe'
- '.exe"'
Image|endswith: '\cmd.exe'
CommandLine|startswith: '/c echo "'
filter_main_parent_not_sys:
ParentImage|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
ParentImage|endswith: '\forfiles.exe'
Image|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
Image|endswith: '\cmd.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high