Forfiles.EXE Child Process Masquerading (f53714ec-5077-420e-ad20-907ff9bb2958)
Detects the execution of "forfiles" from a non-default location, in order to potentially spawn a custom "cmd.exe" from the current working directory.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) | Attack Pattern | Forfiles.EXE Child Process Masquerading (f53714ec-5077-420e-ad20-907ff9bb2958) | Sigma-Rules | 1 |