-
-
Notifications
You must be signed in to change notification settings - Fork 2.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge PR #4661 from @Tuutaans - Suspicious forfiles Child processes
new: Forfiles.EXE Child Process Masquerading update: Forfiles Command Execution - Remove unnecessary selection and enhance metadata information --------- Co-authored-by: Anish Bogati <[email protected]> Co-authored-by: nasbench <[email protected]>
- Loading branch information
1 parent
ff4dee3
commit 2b90adc
Showing
2 changed files
with
48 additions
and
13 deletions.
There are no files selected for viewing
39 changes: 39 additions & 0 deletions
39
rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
title: Forfiles.EXE Child Process Masquerading | ||
id: f53714ec-5077-420e-ad20-907ff9bb2958 | ||
status: experimental | ||
description: | | ||
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory. | ||
references: | ||
- https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ | ||
author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati | ||
date: 2024/01/05 | ||
tags: | ||
- attack.defense_evasion | ||
- attack.t1036 | ||
logsource: | ||
category: process_creation | ||
product: windows | ||
detection: | ||
selection: | ||
# Notes: | ||
# - The parent must not have CLI options | ||
# - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary | ||
# - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary | ||
ParentCommandLine|endswith: | ||
- '.exe' | ||
- '.exe"' | ||
Image|endswith: '\cmd.exe' | ||
CommandLine|startswith: '/c echo "' | ||
filter_main_parent_not_sys: | ||
ParentImage|contains: | ||
- ':\Windows\System32\' | ||
- ':\Windows\SysWOW64\' | ||
ParentImage|endswith: '\forfiles.exe' | ||
Image|contains: | ||
- ':\Windows\System32\' | ||
- ':\Windows\SysWOW64\' | ||
Image|endswith: '\cmd.exe' | ||
condition: selection and not 1 of filter_main_* | ||
falsepositives: | ||
- Unknown | ||
level: high |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters