Techniques
Sample rules
Forfiles Command Execution
- source: sigma
- technicques:
- t1059
Description
Detects the execution of “forfiles” with the “/c” flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|windash: ' -c '
selection_img:
- Image|endswith: \forfiles.exe
- OriginalFileName: forfiles.exe