<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Indirect-Command-Execution - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/indirect-command-execution/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/indirect-command-execution/feed.xml" rel="self" type="application/rss+xml"/><item><title>Command Execution via ForFiles Utility for Defense Evasion</title><link>https://feed.craftedsignal.io/briefs/2024-01-forfiles-indirect-execution/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-forfiles-indirect-execution/</guid><description>Adversaries are leveraging the Windows `forfiles` utility to proxy command execution, potentially bypassing security controls by using a trusted process, for defense evasion.</description><content:encoded><![CDATA[<p>The <code>forfiles</code> utility, a legitimate Windows tool, is being abused by threat actors to execute arbitrary commands indirectly. This technique allows them to bypass application control and potentially evade detection by security solutions that trust the <code>forfiles.exe</code> process. The attacks involve using <code>forfiles</code> with the <code>/c</code> or <code>-c</code> arguments to execute commands, effectively using <code>forfiles</code> as a proxy. This activity has been observed across multiple environments. Defenders should monitor for unexpected usages of <code>forfiles</code> with command execution arguments, especially when originating from unusual parent processes or user accounts.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).</li>
<li>The attacker attempts to execute a malicious command.</li>
<li>Instead of directly executing the command, the attacker uses <code>forfiles.exe</code> to proxy the execution.</li>
<li>The attacker invokes <code>forfiles.exe</code> with the <code>/c</code> or <code>-c</code> argument followed by the command to be executed. For example: <code>forfiles /p C:\Windows\System32 /s /m notepad.exe /c &quot;cmd /c calc.exe&quot;</code>.</li>
<li><code>forfiles.exe</code> executes the specified command through <code>cmd.exe</code>.</li>
<li>The malicious command performs actions such as downloading malware, modifying system settings, or establishing persistence.</li>
<li>The attacker achieves their objective, such as data exfiltration or establishing a remote access channel.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this technique can lead to a variety of malicious outcomes. Attackers can bypass application control policies, execute arbitrary code, and potentially compromise the entire system. The impact ranges from malware installation to data theft and remote control of the compromised machine. This can lead to significant financial loss, reputational damage, and disruption of business operations.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;Detect Command Execution via ForFiles&quot; to your SIEM and tune for your environment to detect malicious usages of <code>forfiles.exe</code>.</li>
<li>Monitor process creation events for <code>forfiles.exe</code> executing with the <code>/c</code> or <code>-c</code> arguments (see Sigma rule and log source).</li>
<li>Implement application control policies to restrict the execution of unauthorized or malicious executables (reference attack chain and overview).</li>
<li>Investigate any instances of <code>forfiles.exe</code> executing commands from unusual parent processes or user accounts (see Sigma rule and overview).</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>defense-evasion</category><category>indirect-command-execution</category><category>windows</category></item></channel></rss>