search

T1202: Forfiles Indirect Command Execution

Defense Evasion

This technique launches an executable without a cmd.exe.

hashtag
Execution

forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe

hashtag
Observations

Defenders can monitor for process creation/commandline logs to detect this activity:

hashtag
References

LogoIndirect Command Execution, Technique T1202 - Enterprise | MITRE ATT&CK®attack.mitre.orgchevron-right
PreviousUsing MSBuild to Execute Shellcode in C#NextApplication Whitelisting Bypass with WMIC and XSL

Last updated