
Summary
This detection rule identifies the use of the Windows command-line utility `forfiles` with the `/c` flag, which can be exploited to execute arbitrary commands by an attacker. While `forfiles` is a legitimate tool for batch file processing, its usage with the command execution parameter can serve as a proxy for executing potentially malicious binaries, circumventing application whitelisting controls. The rule monitors process creation events specifically looking for instances where `forfiles.exe` is involved, particularly with command line arguments containing the `/c` switch. This monitoring allows organizations to detect suspicious command execution patterns and respond to potential security incidents.
Categories
- Endpoint
- Windows
Data Sources
- Process
Created: 2022-06-14