Merge PR #4661 from @Tuutaans - Suspicious forfiles Child processes

new: Forfiles.EXE Child Process Masquerading
update: Forfiles Command Execution - Remove unnecessary selection and enhance metadata information

---------

Co-authored-by: Anish Bogati <abo@logpoint.com>
Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>

rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml

@@ -0,0 +1,39 @@
+title: Forfiles.EXE Child Process Masquerading
+id: f53714ec-5077-420e-ad20-907ff9bb2958
+status: experimental
+description: |
+    Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
+references:
+    - https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/
+author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati
+date: 2024/01/05
+tags:
+    - attack.defense_evasion
+    - attack.t1036
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        # Notes:
+        #   - The parent must not have CLI options
+        #   - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary
+        #   - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary
+        ParentCommandLine|endswith:
+            - '.exe'
+            - '.exe"'
+        Image|endswith: '\cmd.exe'
+        CommandLine|startswith: '/c echo "'
+    filter_main_parent_not_sys:
+        ParentImage|contains:
+            - ':\Windows\System32\'
+            - ':\Windows\SysWOW64\'
+        ParentImage|endswith: '\forfiles.exe'
+        Image|contains:
+            - ':\Windows\System32\'
+            - ':\Windows\SysWOW64\'
+        Image|endswith: '\cmd.exe'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml

@@ -1,4 +1,4 @@
-title: Use of Forfiles For Execution
+title: Forfiles Command Execution
 id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b
 related:
     - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
@@ -6,12 +6,16 @@ related:
     - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
       type: obsoletes
 status: test
-description: Execute commands and binaries from the context of "forfiles". This is used as a LOLBIN for example to bypass application whitelisting.
+description: |
+    Detects the execution of "forfiles" with the "/c" flag.
+    While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.
+    Can be used to bypass application whitelisting.
 references:
     - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
     - https://pentestlab.blog/2020/07/06/indirect-command-execution/
-author: Nasreddine Bencherchali (Nextron Systems)
+author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
 date: 2022/06/14
+modified: 2024/01/05
 tags:
     - attack.execution
     - attack.t1059
@@ -22,19 +26,11 @@ detection:
     selection_img:
         - Image|endswith: '\forfiles.exe'
         - OriginalFileName: 'forfiles.exe'
-    selection_cli_p:
-        CommandLine|contains:
-            - ' /p '
-            - ' -p '
-    selection_cli_m:
-        CommandLine|contains:
-            - ' /m '
-            - ' -m '
-    selection_cli_c:
+    selection_cli:
         CommandLine|contains:
             - ' /c '
             - ' -c '
-    condition: all of selection*
+    condition: all of selection_*
 falsepositives:
     - Legitimate use via a batch script or by an administrator.
 level: medium