https://www.elastic.co/docs/reference/security/prebuilt-rules/rules/windows/defense_evasion_indirect_exec_forfiles
Command Execution via ForFiles | Prebuilt detection rules reference
Detects attempts to execute a command via the forfiles Windows utility. Adversaries may use this utility to proxy execution via a trusted parent process...
detection rulescommandexecutionviaforfiles