This detection rule identifies potentially malicious uses of the 'forfiles' utility in Windows. Adversaries may misuse this command-line tool to execute commands through a trusted parent process, thereby evading detection. The rule monitors for instances where 'forfiles.exe' is executed, particularly looking for the use of '/c' or '-c' arguments within the process command line. It uses Elastic Query Language (EQL) and functions across various data sources, including Winlogbeat, Microsoft Defender, and endpoint security logs from SentinelOne and CrowdStrike. The associated risk score indicates a medium level of concern, necessitating investigation and potential incident response. Analysts are encouraged to verify user intentions, assess geographical norms for tools like 'forfiles', and take remediation steps if necessary, as false positives are possible given the legitimate use cases for this utility. The rule is applicable in production environments with minimum stack version requirements specified.