diff --git a/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml b/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml new file mode 100644 index 000000000..7054dfbcb --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_forfiles_child_process_masquerading.yml @@ -0,0 +1,39 @@ +title: Forfiles.EXE Child Process Masquerading +id: f53714ec-5077-420e-ad20-907ff9bb2958 +status: experimental +description: | + Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory. +references: + - https://www.hexacorn.com/blog/2023/12/31/1-little-known-secret-of-forfiles-exe/ +author: Nasreddine Bencherchali (Nextron Systems), Anish Bogati +date: 2024/01/05 +tags: + - attack.defense_evasion + - attack.t1036 +logsource: + category: process_creation + product: windows +detection: + selection: + # Notes: + # - The parent must not have CLI options + # - The Child Image must be named "cmd" as its hardcoded in the "forfiles" binary + # - The Child CLI will always contains "/c echo" as its hardcoded in the original "forfiles" binary + ParentCommandLine|endswith: + - '.exe' + - '.exe"' + Image|endswith: '\cmd.exe' + CommandLine|startswith: '/c echo "' + filter_main_parent_not_sys: + ParentImage|contains: + - ':\Windows\System32\' + - ':\Windows\SysWOW64\' + ParentImage|endswith: '\forfiles.exe' + Image|contains: + - ':\Windows\System32\' + - ':\Windows\SysWOW64\' + Image|endswith: '\cmd.exe' + condition: selection and not 1 of filter_main_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml b/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml similarity index 61% rename from rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml rename to rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml index 2d7b64f07..9a276c8d7 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml +++ b/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml @@ -1,4 +1,4 @@ -title: Use of Forfiles For Execution +title: Forfiles Command Execution id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b related: - id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8 @@ -6,12 +6,16 @@ related: - id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 type: obsoletes status: test -description: Execute commands and binaries from the context of "forfiles". This is used as a LOLBIN for example to bypass application whitelisting. +description: | + Detects the execution of "forfiles" with the "/c" flag. + While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. + Can be used to bypass application whitelisting. references: - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/ - https://pentestlab.blog/2020/07/06/indirect-command-execution/ -author: Nasreddine Bencherchali (Nextron Systems) +author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2022/06/14 +modified: 2024/01/05 tags: - attack.execution - attack.t1059 @@ -22,19 +26,11 @@ detection: selection_img: - Image|endswith: '\forfiles.exe' - OriginalFileName: 'forfiles.exe' - selection_cli_p: - CommandLine|contains: - - ' /p ' - - ' -p ' - selection_cli_m: - CommandLine|contains: - - ' /m ' - - ' -m ' - selection_cli_c: + selection_cli: CommandLine|contains: - ' /c ' - ' -c ' - condition: all of selection* + condition: all of selection_* falsepositives: - Legitimate use via a batch script or by an administrator. level: medium