Forfiles Potential Misuse

Rule added on 30th May, 2024

Rule type:

Correlation

Rule description:

Forfiles is a Windows command-line utility that allows administrators to perform batch operations on multiple files based on specified criteria such as date, file size, path of file, last modified date and more.

Following is a list of actions which could be achieved using Forfiles:

Batch processing operations based on file name, file size, or file path attributes

File search that matches a specific criteria within directories.

List all the of the directories in drive C.

Incorporate into command-line scripts to automate file-related operations.

However, attackers may attempt to misuse the command for file search, extracting sensitive files to an external location, and malware propagation.

Attack chain scenario: Enumeration of sensitive files -> Forfiles-based data extraction -> Unauthorized access to data

Impact:

It can be used by adversaries in the following ways:

• Malware propagation
• Deletion of critical files
• Data exfiltration

Data source:

Windows > Process Creation

Required configuration: The rule is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactic: TA0005- Defense Evasion

Technique: T1202- Indirect Command Execution

Criteria:

( PROCESSNAME endswith "forfiles.exe" OR OriginalFileName contains "forfiles" ) AND ( COMMANDLINE contains "/p" OR COMMANDLINE contains "-p" OR COMMANDLINE contains "/m" OR COMMANDLINE contains "-m" OR COMMANDLINE contains "/c" OR COMMANDLINE contains "-c" ) )

Forfiles- Use of 'forfiles.exe' in the command line may suggest that attackers are attempting to perform file-related operations such as file search or file delete.

/P- Specifies the path to search for files.

/M- Searches files according to the specific search mask.

/C- Runs the specified command on each file.

When to enable this rule:

Security standards (NIST CSF 2.0):

Enabling this rule will help you meet the security standards' requirements listed below:

PR.PS-06: Secure software development practices are integrated, and their performance is monitored throughout the software development life cycle

When this rule is triggered, you're notified of a potential download activity using Forfiles.This enables you to review the access and permissions, take corrective measures, such as regularly monitor the use of tools for any unauthorized access.

Known false positives: Providing a broad criteria for file search or an incorrect file path may lead to false positives.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify if the alert is a new incident or part of an existing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Implement access controls: Deploy strong access controls and permissions to ensure users have access to only authorized resources.