Forfiles Command Execution (9aa5106d-bce3-4b13-86df-3a20f1d5cf0b)
Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Forfiles Command Execution (9aa5106d-bce3-4b13-86df-3a20f1d5cf0b) | Sigma-Rules | Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) | Attack Pattern | 1 |