1. Home
  2. Software
  3. Forfiles

Forfiles

Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. [1]

ID: S0193
Type: TOOL
Platforms: Windows
Contributors: Matthew Demaske, Adaptforward
Version: 1.0
Created: 18 April 2018
Last Modified: 17 October 2018
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 Data from Local System

Forfiles can be used to act on (ex: copy, move, etc.) files/directories in a system during (ex: copy files into a staging area before).[2]
Enterprise T1083 File and Directory Discovery

Forfiles can be used to locate certain types of files/directories in a system.(ex: locate all files with a specific extension, name, and/or age)[2]
Enterprise T1202 Indirect Command Execution

Forfiles can be used to subvert controls and possibly conceal command execution by not directly invoking cmd.[3][4]

Groups That Use This Software

ID Name References
G0007 APT28

[2]

References

  1. Microsoft. (2016, August 31). Forfiles. Retrieved January 22, 2018.
  2. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
  1. vector_sec. (2017, August 11). Defenders watching launches of cmd? What about forfiles?. Retrieved January 22, 2018.
  2. Evi1cg. (2017, November 26). block cmd.exe ? try this :. Retrieved January 22, 2018.