{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/indirect-command-execution/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","indirect-command-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe \u003ccode\u003eforfiles\u003c/code\u003e utility, a legitimate Windows tool, is being abused by threat actors to execute arbitrary commands indirectly. This technique allows them to bypass application control and potentially evade detection by security solutions that trust the \u003ccode\u003eforfiles.exe\u003c/code\u003e process. The attacks involve using \u003ccode\u003eforfiles\u003c/code\u003e with the \u003ccode\u003e/c\u003c/code\u003e or \u003ccode\u003e-c\u003c/code\u003e arguments to execute commands, effectively using \u003ccode\u003eforfiles\u003c/code\u003e as a proxy. This activity has been observed across multiple environments. Defenders should monitor for unexpected usages of \u003ccode\u003eforfiles\u003c/code\u003e with command execution arguments, especially when originating from unusual parent processes or user accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to execute a malicious command.\u003c/li\u003e\n\u003cli\u003eInstead of directly executing the command, the attacker uses \u003ccode\u003eforfiles.exe\u003c/code\u003e to proxy the execution.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes \u003ccode\u003eforfiles.exe\u003c/code\u003e with the \u003ccode\u003e/c\u003c/code\u003e or \u003ccode\u003e-c\u003c/code\u003e argument followed by the command to be executed. For example: \u003ccode\u003eforfiles /p C:\\Windows\\System32 /s /m notepad.exe /c \u0026quot;cmd /c calc.exe\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eforfiles.exe\u003c/code\u003e executes the specified command through \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe malicious command performs actions such as downloading malware, modifying system settings, or establishing persistence.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or establishing a remote access channel.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to a variety of malicious outcomes. Attackers can bypass application control policies, execute arbitrary code, and potentially compromise the entire system. The impact ranges from malware installation to data theft and remote control of the compromised machine. This can lead to significant financial loss, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Command Execution via ForFiles\u0026quot; to your SIEM and tune for your environment to detect malicious usages of \u003ccode\u003eforfiles.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eforfiles.exe\u003c/code\u003e executing with the \u003ccode\u003e/c\u003c/code\u003e or \u003ccode\u003e-c\u003c/code\u003e arguments (see Sigma rule and log source).\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized or malicious executables (reference attack chain and overview).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003eforfiles.exe\u003c/code\u003e executing commands from unusual parent processes or user accounts (see Sigma rule and overview).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-forfiles-indirect-execution/","summary":"Adversaries are leveraging the Windows `forfiles` utility to proxy command execution, potentially bypassing security controls by using a trusted process, for defense evasion.","title":"Command Execution via ForFiles Utility for Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-forfiles-indirect-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - Indirect-Command-Execution","version":"https://jsonfeed.org/version/1.1"}