heroui logo

Forfiles Command Execution

Sigma Rules

View Source
Summary
This detection rule identifies the use of the Windows command-line utility `forfiles` with the `/c` flag, which can be exploited to execute arbitrary commands by an attacker. While `forfiles` is a legitimate tool for batch file processing, its usage with the command execution parameter can serve as a proxy for executing potentially malicious binaries, circumventing application whitelisting controls. The rule monitors process creation events specifically looking for instances where `forfiles.exe` is involved, particularly with command line arguments containing the `/c` switch. This monitoring allows organizations to detect suspicious command execution patterns and respond to potential security incidents.
Categories
  • Endpoint
  • Windows
Data Sources
  • Process
Created: 2022-06-14