S0193 Forfiles
Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. 1
| Item | Value |
|---|---|
| ID | S0193 |
| Type | TOOL |
| Version | 1.0 |
| Created | 18 April 2018 |
| Last Modified | 17 October 2018 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1005 | Data from Local System | Forfiles can be used to act on (ex: copy, move, etc.) files/directories in a system during (ex: copy files into a staging area before).2 |
| enterprise | T1083 | File and Directory Discovery | Forfiles can be used to locate certain types of files/directories in a system.(ex: locate all files with a specific extension, name, and/or age)2 |
| enterprise | T1202 | Indirect Command Execution | Forfiles can be used to subvert controls and possibly conceal command execution by not directly invoking cmd.34 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0007 | APT28 | 2 |
References
-
Microsoft. (2016, August 31). Forfiles. Retrieved January 22, 2018. ↩
-
Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018. ↩↩↩
-
vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved January 22, 2018. ↩
-
Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved January 22, 2018. ↩