Skip to content

Commit

Permalink
Merge PR #4661 from @Tuutaans - Suspicious forfiles Child processes
Browse files Browse the repository at this point in the history
new: Forfiles.EXE Child Process Masquerading
update: Forfiles Command Execution - Remove unnecessary selection and enhance metadata information

---------

Co-authored-by: Anish Bogati <[email protected]>
Co-authored-by: nasbench <[email protected]>
  • Loading branch information
3 people authored Jan 10, 2024
1 parent ff4dee3 commit 2b90adc
Show file tree
Hide file tree
Showing 2 changed files with 48 additions and 13 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
title: Forfiles.EXE Child Process Masquerading
id: f53714ec-5077-420e-ad20-907ff9bb2958
status: experimental
description: |
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
references:
- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
date: 2024/01/05
tags:
- attack.defense_evasion
- attack.t1036
logsource:
category: process_creation
product: windows
detection:
selection:
# Notes:
# - The parent must not have CLI options
# - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary
# - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary
ParentCommandLine|endswith:
- '.exe'
- '.exe"'
Image|endswith: '\cmd.exe'
CommandLine|startswith: '/c echo "'
filter_main_parent_not_sys:
ParentImage|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
ParentImage|endswith: '\forfiles.exe'
Image|contains:
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
Image|endswith: '\cmd.exe'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: high
Original file line number Diff line number Diff line change
@@ -1,17 +1,21 @@
title: Use of Forfiles For Execution
title: Forfiles Command Execution
id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b
related:
- id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
type: obsoletes
- id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
type: obsoletes
status: test
description: Execute commands and binaries from the context of "forfiles". This is used as a LOLBIN for example to bypass application whitelisting.
description: |
Detects the execution of "forfiles" with the "/c" flag.
While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.
Can be used to bypass application whitelisting.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
- https://pentestlab.blog/2020/07/06/indirect-command-execution/
author: Nasreddine Bencherchali (Nextron Systems)
author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2022/06/14
modified: 2024/01/05
tags:
- attack.execution
- attack.t1059
Expand All @@ -22,19 +26,11 @@ detection:
selection_img:
- Image|endswith: '\forfiles.exe'
- OriginalFileName: 'forfiles.exe'
selection_cli_p:
CommandLine|contains:
- ' /p '
- ' -p '
selection_cli_m:
CommandLine|contains:
- ' /m '
- ' -m '
selection_cli_c:
selection_cli:
CommandLine|contains:
- ' /c '
- ' -c '
condition: all of selection*
condition: all of selection_*
falsepositives:
- Legitimate use via a batch script or by an administrator.
level: medium

0 comments on commit 2b90adc

Please sign in to comment.