Forfiles Command Execution (9aa5106d-bce3-4b13-86df-3a20f1d5cf0b)
Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.
Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
---|---|---|---|---|
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) | Attack Pattern | Forfiles Command Execution (9aa5106d-bce3-4b13-86df-3a20f1d5cf0b) | Sigma-Rules | 1 |