Create proc_creation_win_lolbin_forfiles.yml

rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml

@@ -0,0 +1,29 @@
+title: Use of Forfiles For Execution
+id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b
+status: experimental
+description: Execute commands and binaries from the context of "forfiles". This is used as a LOLBIN for example to bypass application whitelisting.
+author: Nasreddine Bencherchali
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
+    - https://pentestlab.blog/2020/07/06/indirect-command-execution/
+date: 2022/06/14
+logsource:
+  category: process_creation
+  product: windows
+detection:
+    selection_img:
+        - Image|endswith: \forfiles.exe
+        - OriginalFileName: forfiles.exe
+    selection_cli:
+        CommandLine|contains|all:
+            # The CLI accepts combination of both "slash" and "dash"
+            - ' /p '
+            - ' /m '
+            - ' /c '
+    condition: all of selection*
+falsepositives:
+    - Legitimate use by a via a batch script or by an administrator.
+level: medium
+tags:
+    - attack.execution
+    - attack.t1059