Forfiles Indirect Command Execution
Defense Evasion
This technique launches an executable without a cmd.exe.
Execution
forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe

Observations
Defenders can monitor for process creation/commandline logs to detect this activity:


References
PreviousUsing MSBuild to Execute Shellcode in C#NextApplication Whitelisting Bypass with WMIC and XSL
Last updated