forfiles.exe
- File Path:
C:\windows\SysWOW64\forfiles.exe - Description: ForFiles - Executes a command on selected files
Hashes
| Type | Hash |
|---|---|
| MD5 | 663A605F4B0532F1565ECA49238463F1 |
| SHA1 | 223D7DBC724304DC40230DC70A79014BB912083B |
| SHA256 | B23D7C93C9B1D568E608EBAE4ED38634F73280AA61104687D60AA3DB33F93307 |
| SHA384 | 10387A59F043C58863BDE41897F94B557F9E1185F098C32C6395D32DDDCB3A4FF966280033F7F79D29CD658165D32D39 |
| SHA512 | 3546F4FF2DE0899547D09E8104B952F50923EDE9611166F5110124EC415C6BA278EB7E2078E6741893B29B064D65C239F8EAA2B8A63E15E90A8F948F55262AEF |
| SSDEEP | 768:I96fS4A9RwCnBIxMLKKtMZ3Pop82t1i+JDAjqq40HQDxFlf9WpI3M:I966RnnB12ndut1i+xA+n0GxFlVWp3 |
Signature
- Status: The file C:\windows\SysWOW64\forfiles.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: forfiles.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of forfiles.exe being misused. While forfiles.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | godmode_sigma_rule.yml | - '\forfiles.exe' |
DRL 1.0 |
| sigma | sysmon_suspicious_remote_thread.yml | - '\forfiles.exe' |
DRL 1.0 |
| sigma | file_event_win_win_shell_write_susp_directory.yml | - '\forfiles.exe' |
DRL 1.0 |
| sigma | proc_creation_win_indirect_cmd.yml | description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe). |
DRL 1.0 |
| sigma | proc_creation_win_indirect_cmd.yml | - '\forfiles.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_shell.yml | - '\forfiles.exe' |
DRL 1.0 |
| sigma | proc_creation_win_outlook_shell.yml | - '\forfiles.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_servu_process_pattern.yml | - '\forfiles.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_by_java.yml | - '\forfiles.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_shell_spawn_by_java_keytool.yml | - '\forfiles.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_system_user_anomaly.yml | - '\forfiles.exe' |
DRL 1.0 |
| LOLBAS | Forfiles.yml | Name: Forfiles.exe |
|
| LOLBAS | Forfiles.yml | - Command: forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe |
|
| LOLBAS | Forfiles.yml | Usecase: Use forfiles to start a new process to evade defensive counter measures |
|
| LOLBAS | Forfiles.yml | - Command: forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe" |
|
| LOLBAS | Forfiles.yml | Usecase: Use forfiles to start a new process from a binary hidden in an alternate data stream |
|
| LOLBAS | Forfiles.yml | - Path: C:\Windows\System32\forfiles.exe |
|
| LOLBAS | Forfiles.yml | - Path: C:\Windows\SysWOW64\forfiles.exe |
|
| malware-ioc | misp_invisimole.json | "description": "Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.", |
© ESET 2014-2018 |
| atomic-red-team | index.md | - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #2: Indirect Command Execution - forfiles.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | <blockquote>Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | - Atomic Test #2 - Indirect Command Execution - forfiles.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | ## Atomic Test #2 - Indirect Command Execution - forfiles.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | Reference | MIT License. © 2018 Red Canary |
| atomic-red-team | T1202.md | forfiles /p c:\windows\system32 /m notepad.exe /c #{process} | MIT License. © 2018 Red Canary |
| signature-base | apt_sofacy_xtunnel_bundestag.yar | $s3 = “forfiles” | CC BY-NC 4.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
forfiles
Selects and runs a command on a file or set of files. This command is most commonly used in batch files.
Syntax
forfiles [/P pathname] [/M searchmask] [/S] [/C command] [/D [+ | -] [{<date> | <days>}]]
Parameters
| Parameter | Description |
|---|---|
/P <pathname> |
Specifies the path from which to start the search. By default, searching starts in the current working directory. |
/M <searchmask> |
Searches files according to the specified search mask. The default searchmask is *. |
| /S | Instructs the forfiles command to search in subdirectories recursively. |
/C <command> |
Runs the specified command on each file. Command strings should be wrapped in double quotes. The default command is "cmd /c echo @file". |
/D [{+\|-}][{<date> | <days>}] |
Selects files with a last modified date within the specified time frame:<ul><li>Selects files with a last modified date later than or equal to (+) or earlier than or equal to (-) the specified date, where date is in the format MM/DD/YYYY.</li><li>Selects files with a last modified date later than or equal to (+) the current date plus the number of days specified, or earlier than or equal to (-) the current date minus the number of days specified.</li><li>Valid values for days include any number in the range 0–32,768. If no sign is specified, + is used by default.</li></ul> |
| /? | Displays the help text in the cmd window. |
Remarks
-
The
forfiles /Scommand is similar todir /S. -
You can use the following variables in the command string as specified by the /C command-line option:
Variable Description @FILE File name. @FNAME File name without extension. @EXT File name extension. @PATH Full path of the file. @RELPATH Relative path of the file. @ISDIR Evaluates to TRUE if a file type is a directory. Otherwise, this variable evaluates to FALSE. @FSIZE File size, in bytes. @FDATE Last modified date stamp on the file. @FTIME Last modified time stamp on the file. -
The forfiles command lets you run a command on or pass arguments to multiple files. For example, you could run the type command on all files in a tree with the .txt file name extension. Or you could execute every batch file (*.bat) on drive C, with the file name Myinput.txt as the first argument.
-
This command can:
-
Select files by an absolute date or a relative date by using the /d parameter.
-
Build an archive tree of files by using variables such as @FSIZE and @FDATE.
-
Differentiate files from directories by using the @ISDIR variable.
-
Include special characters in the command line by using the hexadecimal code for the character, in 0xHH format (for example, 0x09 for a tab).
-
-
This command works by implementing the
recurse subdirectoriesflag on tools that are designed to process only a single file.
Examples
To list all of the batch files on drive C, type:
forfiles /P c:\ /S /M *.bat /C "cmd /c echo @file is a batch file"
To list all of the directories on drive C, type:
forfiles /P c:\ /S /M * /C "cmd /c if @isdir==TRUE echo @file is a directory"
To list all of the files in the current directory that are at least one year old, type:
forfiles /S /M *.* /D -365 /C "cmd /c echo @file is at least one year old."
To display the text file is outdated for each of the files in the current directory that are older than January 1, 2007, type:
forfiles /S /M *.* /D -01/01/2007 /C "cmd /c echo @file is outdated."
To list the file name extensions of all the files in the current directory in column format, and add a tab before the extension, type:
forfiles /S /M *.* /C "cmd /c echo The extension of @file is 0x09@ext"
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.