Forfiles Command Execution (9aa5106d-bce3-4b13-86df-3a20f1d5cf0b)
Detects the execution of "forfiles" with the "/c" flag. While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary. Can be used to bypass application whitelisting.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) | Attack Pattern | Forfiles Command Execution (9aa5106d-bce3-4b13-86df-3a20f1d5cf0b) | Sigma-Rules | 1 |