Twitter is great for all sorts of neat discoveries, this one came up this weekend which seemed like an interesting item to test and track down using NetWitness Endpoint and Logs for Windows endpoints.
Eric on Twitter: "Defenders watching launches of cmd? What about forfiles? forfiles /p c:\windows\system32 /m notepa… (@vector_sec)
Looks to be an alternative to cmd.exe for launching programs, tested the example provided above on a test win7 machine to get logs from the endpoint via NetWitness Endpoint (NWEP) and Sysmon to see what they look like.
Example code:
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe
Doesn't appear the cmd.exe is leveraged anywhere, so if you were looking for suspicious cmd.exe executions then this would bypass that detection potentially.
What does it look like with Sysmon or NWEP tracking data in RSA NetWitness logs?
Sysmon Detection setup according to the post referenced here:
%NICWIN-4-Microsoft-Windows-Sysmon/Operational_1_Microsoft-Windows-Sysmon: Microsoft-Windows-Sysmon/Operational,rn=525656 cid=1640 eid=1876,Sun Aug 13 23:03:44 2017,1,Microsoft-Windows-Sysmon,DC\SYSTEM,,win7.domain.local,Process Create (rule: ProcessCreate),,Process Create: UtcTime: 2017-08-13 23:03:44.099 ProcessGuid: {2B86A809-DAD0-5990-0000-0010CE3A9E02} ProcessId: 3780 Image: C:\Windows\System32\forfiles.exe CommandLine: "C:\Windows\system32\forfiles.exe" /p c:\windows\system32 /m notepad.exe /c calc.exe CurrentDirectory: C:\Windows\system32\ User: domain.local\windows_user1 LogonGuid: {2B86A809-DAA8-5990-0000-0020F0D19502} LogonId: 0x295d1f0 TerminalSessionId: 1 IntegrityLevel: Medium Hashes: MD5=2C6E78F7DF5EF1C4CCD49522EC6C018E,IMPHASH=39024B11F005CE66A5F62B758D79AE16 ParentProcessGuid: {2B86A809-DAAD-5990-0000-001006F39502} ParentProcessId: 3816 ParentImage: C:\Windows\explorer.exe ParentCommandLine: C:\Windows\Explorer.EXE
NetWitness Endpoint tracking according to the post referenced here:
Note there are three logs for tracking data
1 - openprocess from the run command window in the start menu (explorer.exe)
2 - runprocess command window in the start menu (explorer.exe)
3 - createprocess forfiles.exe execution
%nwe_tracking: 79420||2017-08-13 23:03:44.3490422||00:50:56:B3:44:38||192.168.1.13||WIN7||c:\windows\||explorer.exe||c:\windows\explorer.exe||D5BC504277172BE5C54B60AD5C13209DC1F729131DEF084DE3EC8C72E54C58EF||||OpenProcess||c:\windows\system32\||forfiles.exe||c:\windows\system32\forfiles.exe||forfiles.exe /p c:\windows\system32 /m notepad.exe /c calc.exe||BF9610913C1CE2A06B277182E79A90F2FAE5C0A449125818D9F221819529DD68
%nwe_tracking: 79422||2017-08-13 23:03:44.0994422||00:50:56:B3:44:38||192.168.1.13||WIN7||c:\windows\||explorer.exe||c:\windows\explorer.exe||D5BC504277172BE5C54B60AD5C13209DC1F729131DEF084DE3EC8C72E54C58EF||||CreateProcess||c:\windows\system32\||forfiles.exe||c:\windows\system32\forfiles.exe||forfiles.exe /p c:\windows\system32 /m notepad.exe /c calc.exe||BF9610913C1CE2A06B277182E79A90F2FAE5C0A449125818D9F221819529DD68
%nwe_tracking: 79423||2017-08-13 23:03:44.3802422||00:50:56:B3:44:38||192.168.1.13||WIN7||c:\windows\system32\||forfiles.exe||c:\windows\system32\forfiles.exe||BF9610913C1CE2A06B277182E79A90F2FAE5C0A449125818D9F221819529DD68||forfiles.exe /p c:\windows\system32 /m notepad.exe /c calc.exe||CreateProcess||c:\windows\system32\||calc.exe||c:\windows\system32\calc.exe||calc.exe ||C6A91CBA00BF87CDB064C49ADAAC82255CBEC6FDD48FD21F9B3B96ABF019916B
Here is what the meta looks like:
If you were looking for an application rule to detect this you could do something like this:
name=p2_forfiles_cmd_alternative rule="analysis.session='endpoint-event-include' && filename='forfiles.exe'" alert=analysis.session type=application
